logo

Database

SQL injection - Code In nocodb

Description

NocoDB SQL Injection vulnerability

Summary

An authenticated attacker with create access could conduct a SQL Injection attack on MySQL DB using unescaped table_name.

Details

SQL Injection vulnerability occurs in VitessClient.ts.

async columnList(args: any = {}) {
    const func = this.columnList.name;
    const result = new Result();
    log.api(`${func}:args:`, args);

    try {
      args.databaseName = this.connectionConfig.connection.database;
...

The variable ${args.tn} refers to the table name entered by the user. A malicious attacker can escape the existing query by including a special character (') in the table name and insert and execute a new arbitrary SQL query.

Impact

This vulnerability may result in leakage of sensitive data in the database.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2023-507182. NVD-2023-507183. OSV-2023-507184. GHSA-8fxg-mr34-jqr85. GCVE-2023-50718

References

1. https://github.com/nocodb/nocodb/security/advisories/GHSA-8fxg-mr34-jqr8

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.