CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
EPSS
Percentile
27.0%
Nocodb contains SQL injection vulnerability, that allows an authenticated attacker with creator access to query the underlying database.
nocodb/nocodb
SqliteClient.ts
(GHSL-2023-141
)By supplying a specially crafted payload to the given below parameter and endpoint, an attacker can inject arbitrary SQL queries to be executed. Since this is a blind SQL injections, an attacker may need to use time-based payloads which would include a function to delay execution for a given number of seconds. The response time indicates, whether the result of the query execution was true or false. Depending on the result, the HTTP response will be returned after a given number of seconds, indicating TRUE, or immediately, indicating FALSE. In that way, an attacker can reveal the data present in the database.
The triggerList
method creates a SQL query using the user-controlled table_name
parameter value from the tableCreate
endpoint.
async triggerList(args: any = {}) {
const _func = this.triggerList.name;
const result = new Result();
log.api(`${_func}:args:`, args);
try {
args.databaseName = this.connectionConfig.connection.database;
const response = await this.sqlClient.raw(
`select *, name as trigger_name from sqlite_master where type = 'trigger' and tbl_name='${args.tn}';`,
);
[...]
This issue may lead to Information Disclosure
.
This issue was discovered and reported by GHSL team member @sylwia-budzynska (Sylwia Budzynska).
This report is subject to our coordinated disclosure policy.
github.com/advisories/GHSA-3m5q-q39v-xf8f
github.com/nocodb/nocodb/blob/3ec82824eeb2295f6b67fd67e7d6049784b41221/packages/nocodb/src/controllers/tables.controller.ts#L63
github.com/nocodb/nocodb/blob/3ec82824eeb2295f6b67fd67e7d6049784b41221/packages/nocodb/src/db/sql-client/lib/sqlite/SqliteClient.ts#L628-L654
github.com/nocodb/nocodb/blob/3ec82824eeb2295f6b67fd67e7d6049784b41221/packages/nocodb/src/db/sql-client/lib/sqlite/SqliteClient.ts#L637
github.com/nocodb/nocodb/security/advisories/GHSA-3m5q-q39v-xf8f
nvd.nist.gov/vuln/detail/CVE-2023-43794