NoSQL injection In nocodb
Description
nocodb SQL Injection vulnerability
Summary
Nocodb contains SQL injection vulnerability, that allows an authenticated attacker with creator access to query the underlying database.
Product
nocodb/nocodb
Tested Version
Details
SQL injection in SqliteClient.ts (GHSL-2023-141)
By supplying a specially crafted payload to the given below parameter and endpoint, an attacker can inject arbitrary SQL queries to be executed. Since this is a blind SQL injections, an attacker may need to use time-based payloads which would include a function to delay execution for a given number of seconds. The response time indicates, whether the result of the query execution was true or false. Depending on the result, the HTTP response will be returned after a given number of seconds, indicating TRUE, or immediately, indicating FALSE. In that way, an attacker can reveal the data present in the database.
The triggerList method creates a SQL query using the user-controlled table_name parameter value from the tableCreate endpoint.
async triggerList(args: any = {}) { const _func = this.triggerList.name; const result = new Result(); log.api(`${_func}:args:`, args); try { args.databaseName = this.connectionConfig.connection.database; ...
Impact
This issue may lead to Information Disclosure.
Credit
This issue was discovered and reported by GHSL team member @sylwia-budzynska (Sylwia Budzynska).
Disclosure Policy
This report is subject to our coordinated disclosure policy.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 npm | 0.111.0 |
Aliases
References