Lucene search

GitHub Advisory DatabaseGHSA-MX8Q-JQWM-85MV

HistoryJun 14, 2022 - 12:00 a.m.

NocoDB information disclosure vulnerability

2022-06-1400:00:37

CWE-200

CWE-209

CWE-918

GitHub Advisory Database

github.com

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

51.1%

JSON

In NocoDB prior to 0.91.7, the SMTP plugin doesn’t have verification or validation. This allows attackers to make requests to internal servers and read the contents.

Affected configurations

Vulners

Node

nocodbnocodbRange<0.91.7

CPENameOperatorVersion
nocodblt0.91.7

CPE	Name	Operator	Version
	nocodb	lt	0.91.7

References

github.com/advisories/GHSA-mx8q-jqwm-85mv

github.com/nocodb/nocodb/commit/a18f5dd53811b9ec1c1bb2fdbfb328c0c87d7fb4

huntr.dev/bounties/35593b4c-f127-4699-8ad3-f0b2203a8ef6

nvd.nist.gov/vuln/detail/CVE-2022-2062

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

51.1%

JSON

Related for GHSA-MX8Q-JQWM-85MV