Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-3423: The NocoDB application allows large characters to insert in the input field "New Project" on the create field which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request in

Denial of Service in GitHub repository nocodb/nocodb prior to 0.92.0.

CVE
Open in Source
#google#dos#git

Proof of Concept

Go to http://localhost:8080/dashboard/#/projects Click on New project and create Fill the “Enter project name” field with huge characters, (more than 1 lakh) Copy the below payload and put it in the input fields and click on continue. You will see the application accepts large characters and if we will increase the characters then it can lead to Dos.

Download the payload from here:

https://drive.google.com/file/d/13IK67Sx93nvnb_3gLUBDLgoEC7XTQiso/view?usp=sharing

Video & Image POC:

https://drive.google.com/drive/folders/1N6h02blexPhQyj4MdfyPwNTOmKEXIfMu?usp=sharing

Patch recommendation:

The Project name input should be limited to 50 characters or a max of 100 characters.

Impact

It can lead to a denial of service attack

References

  • https://huntr.dev/bounties/cdf00e14-38a7-4b6b-9bb4-3a71bf24e436/
  • https://huntr.dev/bounties/97e36678-11cf-42c6-889c-892d415d9f9e/

Related news

GHSA-grv6-m753-3w2g: NocoDB vulnerable to Denial of Service

NocoDB prior to 0.92.0 allows actors to insert large characters into the input field `New Project` on the create field, which can cause a Denial of Service (DoS) via a crafted HTTP request. Version 0.92.0 fixes this issue.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE