CVE-2023-35843
📋 TL;DR
CVE-2023-35843 is a path traversal vulnerability in NocoDB that allows unauthenticated attackers to access arbitrary files on the server by manipulating the path parameter in the /download route. This affects all NocoDB instances running vulnerable versions, potentially exposing sensitive configuration files, source code, and other server data.
💻 Affected Systems
- NocoDB
📦 What is this software?
Nocodb by Nocodb
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through access to sensitive files like SSH keys, database credentials, or configuration files containing secrets, potentially leading to data exfiltration or further system exploitation.
Likely Case
Unauthenticated attackers accessing sensitive files including application source code, configuration files, and potentially user data stored in accessible directories.
If Mitigated
Limited impact with proper network segmentation, file system permissions, and monitoring in place to detect and block traversal attempts.
🎯 Exploit Status
Exploitation requires only HTTP requests to the vulnerable endpoint with crafted path parameters. Public proof-of-concept code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.109.2 or later
Vendor Advisory: https://github.com/nocodb/nocodb/security/advisories/GHSA-5w5q-4wj4-5vj5
Restart Required: Yes
Instructions:
1. Update NocoDB to version 0.109.2 or later. 2. Restart the NocoDB service. 3. Verify the fix by testing the /download endpoint with traversal attempts.
🔧 Temporary Workarounds
Web Application Firewall Rule
allBlock path traversal patterns in the /download route using WAF rules
Add WAF rule to block requests containing '../' or similar traversal patterns in the path parameter
Network Access Control
allRestrict access to NocoDB instance to trusted networks only
Configure firewall rules to allow only specific IP ranges to access NocoDB ports
🧯 If You Can't Patch
- Implement strict network segmentation to isolate NocoDB from sensitive systems
- Deploy a web application firewall with rules to detect and block path traversal attempts
🔍 How to Verify
Check if Vulnerable:
Test by sending a GET request to /download?path=../../../etc/passwd (or similar traversal) and checking if server returns sensitive file contentCheck Version:
Check NocoDB version in web interface or via API endpoint /api/v1/versionVerify Fix Applied:
After patching, attempt the same traversal test and verify it returns an error or empty response instead of file content📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /download endpoint with '../' patterns in query parameters
- Unusual file access patterns from web server process
Network Indicators:
- Multiple failed traversal attempts from single IP
- Unusual file paths in download requests
SIEM Query:
source="web_server_logs" AND uri_path="/download" AND (query_string="*../*" OR query_string="*..\\*" OR query_string="*%2e%2e%2f*")🔗 References
- https://advisory.dw1.io/60
- https://github.com/nocodb/nocodb/blob/6decfa2b20c28db9946bddce0bcb1442b683ecae/packages/nocodb/src/lib/controllers/attachment.ctl.ts#L62-L74
- https://github.com/nocodb/nocodb/blob/f7ee7e3beb91d313a159895d1edc1aba9d91b0bc/packages/nocodb/src/controllers/attachments.controller.ts#L55-L66
- https://advisory.dw1.io/60
- https://github.com/nocodb/nocodb/blob/6decfa2b20c28db9946bddce0bcb1442b683ecae/packages/nocodb/src/lib/controllers/attachment.ctl.ts#L62-L74
- https://github.com/nocodb/nocodb/blob/f7ee7e3beb91d313a159895d1edc1aba9d91b0bc/packages/nocodb/src/controllers/attachments.controller.ts#L55-L66
