Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zbTVxLXEzOXYteGY4Zs4AA2gV
nocodb SQL Injection vulnerability
Summary
Nocodb contains SQL injection vulnerability, that allows an authenticated attacker with creator access to query the underlying database.
Product
nocodb/nocodb
Tested Version
Details
SQL injection in SqliteClient.ts (GHSL-2023-141)
By supplying a specially crafted payload to the given below parameter and endpoint, an attacker can inject arbitrary SQL queries to be executed. Since this is a blind SQL injections, an attacker may need to use time-based payloads which would include a function to delay execution for a given number of seconds. The response time indicates, whether the result of the query execution was true or false. Depending on the result, the HTTP response will be returned after a given number of seconds, indicating TRUE, or immediately, indicating FALSE. In that way, an attacker can reveal the data present in the database.
The triggerList method creates a SQL query using the user-controlled table_name parameter value from the tableCreate endpoint.
async triggerList(args: any = {}) {
const _func = this.triggerList.name;
const result = new Result();
log.api(`${_func}:args:`, args);
try {
args.databaseName = this.connectionConfig.connection.database;
const response = await this.sqlClient.raw(
`select *, name as trigger_name from sqlite_master where type = 'trigger' and tbl_name='${args.tn}';`,
);
[...]
Impact
This issue may lead to Information Disclosure.
Credit
This issue was discovered and reported by GHSL team member @sylwia-budzynska (Sylwia Budzynska).
Disclosure Policy
This report is subject to our coordinated disclosure policy.
Permalink: https://github.com/advisories/GHSA-3m5q-q39v-xf8fJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zbTVxLXEzOXYteGY4Zs4AA2gV
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 7 months ago
Updated: 6 months ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Identifiers: GHSA-3m5q-q39v-xf8f, CVE-2023-43794
References:
- https://github.com/nocodb/nocodb/security/advisories/GHSA-3m5q-q39v-xf8f
- https://github.com/nocodb/nocodb/blob/3ec82824eeb2295f6b67fd67e7d6049784b41221/packages/nocodb/src/controllers/tables.controller.ts#L63
- https://github.com/nocodb/nocodb/blob/3ec82824eeb2295f6b67fd67e7d6049784b41221/packages/nocodb/src/db/sql-client/lib/sqlite/SqliteClient.ts#L628-L654
- https://github.com/nocodb/nocodb/blob/3ec82824eeb2295f6b67fd67e7d6049784b41221/packages/nocodb/src/db/sql-client/lib/sqlite/SqliteClient.ts#L637
- https://nvd.nist.gov/vuln/detail/CVE-2023-43794
- https://github.com/advisories/GHSA-3m5q-q39v-xf8f
Blast Radius: 11.0
Affected Packages
npm:nocodb
Dependent packages: 1Dependent repositories: 49
Downloads: 1,158 last month
Affected Version Ranges: < 0.111.0
Fixed in: 0.111.0
All affected versions: 0.0.1, 0.1.29, 0.1.30, 0.1.31, 0.1.32, 0.1.33, 0.1.34, 0.1.35, 0.1.36, 0.1.37, 0.1.38, 0.9.11, 0.9.12, 0.9.13, 0.9.14, 0.9.15, 0.9.16, 0.9.17, 0.9.18, 0.9.19, 0.9.20, 0.9.21, 0.9.22, 0.9.23, 0.9.24, 0.9.25, 0.9.26, 0.9.27, 0.9.28, 0.9.29, 0.9.30, 0.9.31, 0.9.32, 0.9.33, 0.9.34, 0.9.35, 0.9.36, 0.9.37, 0.9.38, 0.9.39, 0.9.40, 0.9.41, 0.9.42, 0.9.43, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.10.5, 0.10.6, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.11.5, 0.11.7, 0.11.8, 0.11.9, 0.11.10, 0.11.11, 0.11.12, 0.11.13, 0.11.14, 0.11.15, 0.11.16, 0.11.17, 0.11.18, 0.11.19, 0.11.20, 0.11.21, 0.11.22, 0.11.23, 0.11.24, 0.11.25, 0.11.26, 0.11.27, 0.11.28, 0.11.29, 0.11.30, 0.11.32, 0.11.33, 0.11.34, 0.11.35, 0.11.36, 0.11.38, 0.11.39, 0.11.40, 0.11.41, 0.11.42, 0.11.43, 0.11.44, 0.11.45, 0.11.46, 0.80.0, 0.80.1, 0.81.0, 0.81.1, 0.82.0, 0.83.0, 0.83.1, 0.83.2, 0.83.3, 0.83.4, 0.83.5, 0.83.6, 0.83.8, 0.84.0, 0.84.1, 0.84.2, 0.84.3, 0.84.4, 0.84.5, 0.84.6, 0.84.7, 0.84.8, 0.84.9, 0.84.10, 0.84.12, 0.84.13, 0.84.14, 0.84.15, 0.84.16, 0.84.18, 0.90.0, 0.90.1, 0.90.2, 0.90.3, 0.90.4, 0.90.5, 0.90.7, 0.90.8, 0.90.9, 0.90.10, 0.90.11, 0.91.0, 0.91.1, 0.91.3, 0.91.6, 0.91.7, 0.91.8, 0.91.9, 0.91.10, 0.92.0, 0.92.1, 0.92.2, 0.92.3, 0.92.4, 0.96.0, 0.96.1, 0.96.2, 0.96.3, 0.96.4, 0.97.0, 0.98.0, 0.98.1, 0.98.2, 0.98.3, 0.98.4, 0.99.0, 0.99.1, 0.99.2, 0.100.0, 0.100.1, 0.100.2, 0.101.0, 0.101.1, 0.101.2, 0.104.0, 0.104.1, 0.104.2, 0.104.3, 0.105.0, 0.105.1, 0.105.2, 0.105.3, 0.106.0, 0.106.1, 0.107.0, 0.107.1, 0.107.2, 0.107.3, 0.107.4, 0.107.5, 0.108.0, 0.108.1, 0.109.0, 0.109.1, 0.109.2, 0.109.3, 0.109.4, 0.109.5, 0.109.6, 0.109.7
All unaffected versions: 0.111.0, 0.111.1, 0.111.2, 0.111.3, 0.111.4, 0.200.0, 0.202.0, 0.202.4, 0.202.5, 0.202.6, 0.202.7, 0.202.8, 0.202.9, 0.202.10, 0.203.0, 0.203.1, 0.203.2, 0.204.0, 0.204.1, 0.204.2, 0.204.3, 0.204.4, 0.204.5, 0.204.6, 0.204.7, 0.204.8, 0.204.9, 0.205.0, 0.205.1