Lucene search

[email protected]CVE-2023-35843

HistoryJun 19, 2023 - 6:15 p.m.

CVE-2023-35843

2023-06-1918:15:09

CWE-22

[email protected]

web.nvd.nist.gov

nocodb

path traversal

vulnerability

security

cve-2023-35843

nvd

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.065 Low

EPSS

Percentile

93.8%

JSON

NocoDB through 0.106.0 (or 0.109.1) has a path traversal vulnerability that allows an unauthenticated attacker to access arbitrary files on the server by manipulating the path parameter of the /download route. This vulnerability could allow an attacker to access sensitive files and data on the server, including configuration files, source code, and other sensitive information.

Affected configurations

NVD

Node

nocodbnocodbRange≤0.106.1

CPENameOperatorVersion
nocodb:nocodbnocodble0.106.1

CPE	Name	Operator	Version
nocodb:nocodb	nocodb	le	0.106.1

References

advisory.dw1.io/60

github.com/nocodb/nocodb/blob/6decfa2b20c28db9946bddce0bcb1442b683ecae/packages/nocodb/src/lib/controllers/attachment.ctl.ts#L62-L74

github.com/nocodb/nocodb/blob/f7ee7e3beb91d313a159895d1edc1aba9d91b0bc/packages/nocodb/src/controllers/attachments.controller.ts#L55-L66

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.065 Low

EPSS

Percentile

93.8%

JSON

Related for CVE-2023-35843

veracode1 prion1 nvd1 nuclei1 cvelist1 osv1