Lucene search

GitHub Advisory DatabaseGHSA-MX8Q-JQWM-85MV

HistoryJun 14, 2022 - 12:00 a.m.

NocoDB information disclosure vulnerability

2022-06-1400:00:37

CWE-200

CWE-209

CWE-918

GitHub Advisory Database

github.com

nocodb vulnerability

smtp plugin

data disclosure

software security

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

51.0%

JSON

In NocoDB prior to 0.91.7, the SMTP plugin doesn’t have verification or validation. This allows attackers to make requests to internal servers and read the contents.

Affected configurations

Vulners

Node

nocodbnocodbRange<0.91.7

VendorProductVersionCPE
nocodbnocodb*cpe:2.3:a:nocodb:nocodb:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
nocodb	nocodb	*	cpe:2.3:a:nocodb:nocodb::::::::

References

github.com/advisories/GHSA-mx8q-jqwm-85mv

github.com/nocodb/nocodb/commit/a18f5dd53811b9ec1c1bb2fdbfb328c0c87d7fb4

huntr.dev/bounties/35593b4c-f127-4699-8ad3-f0b2203a8ef6

nvd.nist.gov/vuln/detail/CVE-2022-2062

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

51.0%

JSON

Related for GHSA-MX8Q-JQWM-85MV