Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-8fxg-mr34-jqr8: NocoDB SQL Injection vulnerability

Summary


An authenticated attacker with create access could conduct a SQL Injection attack on MySQL DB using unescaped table_name.

Details


SQL Injection vulnerability occurs in VitessClient.ts.

async columnList(args: any = {}) {
    const func = this.columnList.name;
    const result = new Result();
    log.api(`${func}:args:`, args);

    try {
      args.databaseName = this.connectionConfig.connection.database;

      const response = await this.sqlClient.raw(
        `select *, table_name as tn from information_schema.columns where table_name = '${args.tn}' ORDER by ordinal_position`,
      );

The variable ${args.tn} refers to the table name entered by the user. A malicious attacker can escape the existing query by including a special character (') in the table name and insert and execute a new arbitrary SQL query.

Impact


This vulnerability may result in leakage of sensitive data in the database.

ghsa
#sql#vulnerability#java#auth

Summary

An authenticated attacker with create access could conduct a SQL Injection attack on MySQL DB using unescaped table_name.

Details

SQL Injection vulnerability occurs in VitessClient.ts.

async columnList(args: any = {}) { const func = this.columnList.name; const result = new Result(); log.api(`${func}:args:`, args);

try {
  args.databaseName \= this.connectionConfig.connection.database;

  const response \= await this.sqlClient.raw(
    \`select \*, table\_name as tn from information\_schema.columns where table\_name = '${args.tn}' ORDER by ordinal\_position\`,
  );

The variable ${args.tn} refers to the table name entered by the user.
A malicious attacker can escape the existing query by including a special character (') in the table name and insert and execute a new arbitrary SQL query.

Impact

This vulnerability may result in leakage of sensitive data in the database.

References

  • GHSA-8fxg-mr34-jqr8

ghsa: Latest News

GHSA-27wf-5967-98gx: Kubernetes kubelet arbitrary command execution