GHSA-8fxg-mr34-jqr8

Suggest an improvement
Source
https://github.com/advisories/GHSA-8fxg-mr34-jqr8
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8fxg-mr34-jqr8/GHSA-8fxg-mr34-jqr8.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-8fxg-mr34-jqr8
Aliases
  • CVE-2023-50718
Published
2024-05-13T16:46:59Z
Modified
2024-05-14T18:06:12Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
NocoDB SQL Injection vulnerability
Details

### Summary

An authenticated attacker with create access could conduct a SQL Injection attack on MySQL DB using unescaped table_name.

### Details

SQL Injection vulnerability occurs in VitessClient.ts.

async columnList(args: any = {}) {
    const func = this.columnList.name;
    const result = new Result();
    log.api(`${func}:args:`, args);

    try {
      args.databaseName = this.connectionConfig.connection.database;

      const response = await this.sqlClient.raw(
        `select *, table_name as tn from information_schema.columns where table_name = '${args.tn}' ORDER by ordinal_position`,
      );

The variable ${args.tn} refers to the table name entered by the user. A malicious attacker can escape the existing query by including a special character (') in the table name and insert and execute a new arbitrary SQL query.

### Impact

This vulnerability may result in leakage of sensitive data in the database.

Database specific
{
    "nvd_published_at": "2024-05-14T14:17:02Z",
    "cwe_ids": [
        "CWE-89"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-13T16:46:59Z"
}
References

Affected packages

npm / nocodb

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.202.10

Database specific

{
    "last_known_affected_version_range": "<= 0.202.9"
}