CVE-2023-35843
published 2023-06-19CVE-2023-35843: NocoDB through 0.106.0 (or 0.109.1) has a path traversal vulnerability that allows an unauthenticated attacker to access arbitrary files on the server by…
PriorityP178high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.95%
94.6th percentile
NocoDB through 0.106.0 (or 0.109.1) has a path traversal vulnerability that allows an unauthenticated attacker to access arbitrary files on the server by manipulating the path parameter of the /download route. This vulnerability could allow an attacker to access sensitive files and data on the server, including configuration files, source code, and other sensitive information.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nocodb | nocodb | <= 0.106.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
regex: root:[x*]:0:0
- →Detect path traversal attempts against the NocoDB /download route by looking for URL-encoded traversal sequences (..%2F) in GET requests to /download/ ↗
- →A successful exploit response will return HTTP 200 with /etc/passwd content matching root:[x*]:0:0 — monitor for this pattern in HTTP response bodies from NocoDB instances ↗
- →Identify exposed NocoDB instances via Shodan favicon hash -2017596142 or FOFA icon_hash=-2017596142 for proactive asset discovery ↗
- →The vulnerability is unauthenticated — no session token or authentication header is required; flag any unauthenticated GET requests to /download/ containing repeated ..%2F sequences ↗
- ·Affected versions are NocoDB <= 0.106.1 (NVD also references <= 0.109.1 in one description); verify exact version ceiling against your deployment ↗
- ·The vulnerable code path exists in two separate controller files across different NocoDB versions; both should be reviewed when assessing patch status ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cjjg-rvc7-5p7r: NocoDB through 0
ghsa_unreviewed·2023-06-19
CVE-2023-35843 GHSA-cjjg-rvc7-5p7r: NocoDB through 0
NocoDB through 0.106.0 (or 0.109.1) has a path traversal vulnerability that allows an unauthenticated attacker to access arbitrary files on the server by manipulating the path parameter of the /download route. This vulnerability could allow an attacker to access sensitive files and data on the server, including configuration files, source code, and other sensitive information.
VulnCheck
nocodb nocodb Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2023·CVSS 7.5
CVE-2023-35843 [HIGH] nocodb nocodb Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
nocodb nocodb Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
NocoDB through 0.106.0 (or 0.109.1) has a path traversal vulnerability that allows an unauthenticated attacker to access arbitrary files on the server by manipulating the path parameter of the /download route. This vulnerability could allow an attacker to access sensitive files and data on the server, including configuration files, source code, and other sensitive information.
Affected: nocodb nocodb
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://media.defense.gov/2024/Sep/18/2003547016/-1/-1/0/CSA-PRC-LINKED-ACTORS-BOTNET.PDF
Exploit PoC: https://vulnch
No detection rules found.
Nuclei
NocoDB version <= 0.106.1 - Arbitrary File Read
nuclei·CVSS 7.5
CVE-2023-35843 [HIGH] NocoDB version <= 0.106.1 - Arbitrary File Read
NocoDB version <= 0.106.1 - Arbitrary File Read
NocoDB through 0.106.1 has a path traversal vulnerability that allows an unauthenticated attacker to access arbitrary files on the server by manipulating the path parameter of the /download route. This vulnerability could allow an attacker to access sensitive files and data on the server, including configuration files, source code, and other sensitive information.
Template:
id: CVE-2023-35843
info:
name: NocoDB version <= 0.106.1 - Arbitrary File Read
author: dwisiswant0
severity: high
description: |
NocoDB through 0.106.1 has a path traversal vulnerability that allows an unauthenticated attacker to access arbitrary files on the server by manipulating the path parameter of the /download route. This vulnerability could allow an attacker to
https://advisory.dw1.io/60https://github.com/nocodb/nocodb/blob/6decfa2b20c28db9946bddce0bcb1442b683ecae/packages/nocodb/src/lib/controllers/attachment.ctl.ts#L62-L74https://github.com/nocodb/nocodb/blob/f7ee7e3beb91d313a159895d1edc1aba9d91b0bc/packages/nocodb/src/controllers/attachments.controller.ts#L55-L66https://advisory.dw1.io/60https://github.com/nocodb/nocodb/blob/6decfa2b20c28db9946bddce0bcb1442b683ecae/packages/nocodb/src/lib/controllers/attachment.ctl.ts#L62-L74https://github.com/nocodb/nocodb/blob/f7ee7e3beb91d313a159895d1edc1aba9d91b0bc/packages/nocodb/src/controllers/attachments.controller.ts#L55-L66
2023-06-19
Published
Exploited in the wild