Volerion logoVolerion
Volerion logoVolerion

OpenLink Virtuoso SQL Injection Vulnerability Leading to Denial-of-Service

Vulnerability

A denial-of-service vulnerability has been identified in OpenLink Virtuoso Open Source version 7.2.11. The issue arises in the 'sqlo_expand_jts' component, where attackers can cause a crash by sending specially crafted SQL statements. This vulnerability can be reproduced using the Virtuoso Docker image.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by crashing the Virtuoso database server.

Reproduction

The vulnerability can be reproduced by first creating a SQL file with the crafted SQL injection payload. After removing any existing Docker container named 'virtdb_test', a new container can be started with the Virtuoso Docker image, using the 'dba' password. Once the server is running, the SQL file can be executed using the 'isql' command-line interface, which will trigger the denial-of-service condition by crashing the server.

Remediation

Users can upgrade to the latest version of OpenLink Virtuoso to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
3.1
impact
2.5
exploitability
6.1
remediation
0.0
relevance
0.0
threat
6.4
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.