cbcvebase.
CVE-2023-35843
published 2023-06-19

CVE-2023-35843: NocoDB through 0.106.0 (or 0.109.1) has a path traversal vulnerability that allows an unauthenticated attacker to access arbitrary files on the server by…

PriorityP178high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.95%
94.6th percentile
NocoDB through 0.106.0 (or 0.109.1) has a path traversal vulnerability that allows an unauthenticated attacker to access arbitrary files on the server by manipulating the path parameter of the /download route. This vulnerability could allow an attacker to access sensitive files and data on the server, including configuration files, source code, and other sensitive information.

Affected

1 ranges
VendorProductVersion rangeFixed in
nocodbnocodb<= 0.106.1

Detection & IOCsextracted from sources · hover to see the quote

url/download/{{repeat('..%2F', 5)}}etc%2Fpasswd
path/download/
yara
regex: root:[x*]:0:0
  • Detect path traversal attempts against the NocoDB /download route by looking for URL-encoded traversal sequences (..%2F) in GET requests to /download/
  • A successful exploit response will return HTTP 200 with /etc/passwd content matching root:[x*]:0:0 — monitor for this pattern in HTTP response bodies from NocoDB instances
  • Identify exposed NocoDB instances via Shodan favicon hash -2017596142 or FOFA icon_hash=-2017596142 for proactive asset discovery
  • The vulnerability is unauthenticated — no session token or authentication header is required; flag any unauthenticated GET requests to /download/ containing repeated ..%2F sequences
  • ·Affected versions are NocoDB <= 0.106.1 (NVD also references <= 0.109.1 in one description); verify exact version ceiling against your deployment
  • ·The vulnerable code path exists in two separate controller files across different NocoDB versions; both should be reviewed when assessing patch status

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.