GHSA-3M5Q-Q39V-XF8F

Vulnerability from github – Published: 2023-10-17 13:52 – Updated: 2023-10-17 13:52
VLAI?
Summary
nocodb SQL Injection vulnerability
Details

Summary

Nocodb contains SQL injection vulnerability, that allows an authenticated attacker with creator access to query the underlying database.

Product

nocodb/nocodb

Tested Version

0.109.2

Details

SQL injection in SqliteClient.ts (GHSL-2023-141)

By supplying a specially crafted payload to the given below parameter and endpoint, an attacker can inject arbitrary SQL queries to be executed. Since this is a blind SQL injections, an attacker may need to use time-based payloads which would include a function to delay execution for a given number of seconds. The response time indicates, whether the result of the query execution was true or false. Depending on the result, the HTTP response will be returned after a given number of seconds, indicating TRUE, or immediately, indicating FALSE. In that way, an attacker can reveal the data present in the database.

The triggerList method creates a SQL query using the user-controlled table_name parameter value from the tableCreate endpoint.

async triggerList(args: any = {}) {
  const _func = this.triggerList.name;
  const result = new Result();
  log.api(`${_func}:args:`, args);

  try {
    args.databaseName = this.connectionConfig.connection.database;

    const response = await this.sqlClient.raw(
      `select *, name as trigger_name from sqlite_master where type = 'trigger' and tbl_name='${args.tn}';`,
    );
[...]

Impact

This issue may lead to Information Disclosure.

Credit

This issue was discovered and reported by GHSL team member @sylwia-budzynska (Sylwia Budzynska).

Disclosure Policy

This report is subject to our coordinated disclosure policy.

Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "nocodb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.111.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-43794"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-17T13:52:09Z",
    "nvd_published_at": "2023-10-17T21:15:46Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nNocodb contains SQL injection vulnerability, that allows an authenticated attacker with creator access to query the underlying database.\n\n## Product\n\nnocodb/nocodb\n\n## Tested Version\n\n[0.109.2](https://github.com/nocodb/nocodb/releases/tag/0.109.2)\n\n## Details\n\n### SQL injection in `SqliteClient.ts` (`GHSL-2023-141`)\nBy supplying a specially crafted payload to the given below parameter and endpoint, an attacker can inject arbitrary SQL queries to be executed. Since this is a blind SQL injections, an attacker may need to use time-based payloads which would include a function to delay execution for a given number of seconds. The response time indicates, whether the result of the query execution was true or false. Depending on the result, the HTTP response will be returned after a given number of seconds, indicating TRUE, or immediately, indicating FALSE. In that way, an attacker can reveal the data present in the database.\n\nThe [`triggerList`](https://github.com/nocodb/nocodb/blob/3ec82824eeb2295f6b67fd67e7d6049784b41221/packages/nocodb/src/db/sql-client/lib/sqlite/SqliteClient.ts#L628-L654) method creates a SQL query using the user-controlled [`table_name`](https://github.com/nocodb/nocodb/blob/3ec82824eeb2295f6b67fd67e7d6049784b41221/packages/nocodb/src/db/sql-client/lib/sqlite/SqliteClient.ts#L637) parameter value from the [`tableCreate`](https://github.com/nocodb/nocodb/blob/3ec82824eeb2295f6b67fd67e7d6049784b41221/packages/nocodb/src/controllers/tables.controller.ts#L63) endpoint.\n\n```javascript\nasync triggerList(args: any = {}) {\n  const _func = this.triggerList.name;\n  const result = new Result();\n  log.api(`${_func}:args:`, args);\n\n  try {\n    args.databaseName = this.connectionConfig.connection.database;\n\n    const response = await this.sqlClient.raw(\n      `select *, name as trigger_name from sqlite_master where type = \u0027trigger\u0027 and tbl_name=\u0027${args.tn}\u0027;`,\n    );\n[...]\n```\n\n#### Impact\n\nThis issue may lead to `Information Disclosure`.\n\n## Credit\n\nThis issue was discovered and reported by GHSL team member [@sylwia-budzynska (Sylwia Budzynska)](https://github.com/sylwia-budzynska).\n\n\n## Disclosure Policy\n\nThis report is subject to our [coordinated disclosure policy](https://securitylab.github.com/advisories#policy).",
  "id": "GHSA-3m5q-q39v-xf8f",
  "modified": "2023-10-17T13:52:09Z",
  "published": "2023-10-17T13:52:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-3m5q-q39v-xf8f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43794"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nocodb/nocodb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nocodb/nocodb/blob/3ec82824eeb2295f6b67fd67e7d6049784b41221/packages/nocodb/src/controllers/tables.controller.ts#L63"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nocodb/nocodb/blob/3ec82824eeb2295f6b67fd67e7d6049784b41221/packages/nocodb/src/db/sql-client/lib/sqlite/SqliteClient.ts#L628-L654"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nocodb/nocodb/blob/3ec82824eeb2295f6b67fd67e7d6049784b41221/packages/nocodb/src/db/sql-client/lib/sqlite/SqliteClient.ts#L637"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "nocodb SQL Injection vulnerability"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.