GHSA-3m5q-q39v-xf8f

Suggest an improvement
Source
https://github.com/advisories/GHSA-3m5q-q39v-xf8f
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-3m5q-q39v-xf8f/GHSA-3m5q-q39v-xf8f.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3m5q-q39v-xf8f
Aliases
Published
2023-10-17T13:52:09Z
Modified
2023-11-08T04:13:33.022116Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
nocodb SQL Injection vulnerability
Details

Summary

Nocodb contains SQL injection vulnerability, that allows an authenticated attacker with creator access to query the underlying database.

Product

nocodb/nocodb

Tested Version

0.109.2

Details

SQL injection in SqliteClient.ts (GHSL-2023-141)

By supplying a specially crafted payload to the given below parameter and endpoint, an attacker can inject arbitrary SQL queries to be executed. Since this is a blind SQL injections, an attacker may need to use time-based payloads which would include a function to delay execution for a given number of seconds. The response time indicates, whether the result of the query execution was true or false. Depending on the result, the HTTP response will be returned after a given number of seconds, indicating TRUE, or immediately, indicating FALSE. In that way, an attacker can reveal the data present in the database.

The triggerList method creates a SQL query using the user-controlled table_name parameter value from the tableCreate endpoint.

async triggerList(args: any = {}) {
  const _func = this.triggerList.name;
  const result = new Result();
  log.api(`${_func}:args:`, args);

  try {
    args.databaseName = this.connectionConfig.connection.database;

    const response = await this.sqlClient.raw(
      `select *, name as trigger_name from sqlite_master where type = 'trigger' and tbl_name='${args.tn}';`,
    );
[...]

Impact

This issue may lead to Information Disclosure.

Credit

This issue was discovered and reported by GHSL team member @sylwia-budzynska (Sylwia Budzynska).

Disclosure Policy

This report is subject to our coordinated disclosure policy.

References

Affected packages

npm / nocodb

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.111.0