Launch Week Day 1: Announcing Security Design Review
Start for Free
MEDIUM 6.5 npm

NocoDB SQL Injection vulnerability

GHSA-8fxg-mr34-jqr8 · CVE-2023-50718

Published · Modified

Description

Summary

An authenticated attacker with create access could conduct a SQL Injection attack on MySQL DB using unescaped table_name.

Details

SQL Injection vulnerability occurs in VitessClient.ts.

async columnList(args: any = {}) {
    const func = this.columnList.name;
    const result = new Result();
    log.api(`${func}:args:`, args);

    try {
      args.databaseName = this.connectionConfig.connection.database;

      const response = await this.sqlClient.raw(
        `select *, table_name as tn from information_schema.columns where table_name = '${args.tn}' ORDER by ordinal_position`,
      );

The variable ${args.tn} refers to the table name entered by the user.
A malicious attacker can escape the existing query by including a special character (') in the table name and insert and execute a new arbitrary SQL query.

Impact

This vulnerability may result in leakage of sensitive data in the database.

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes