Headline
GHSA-8fxg-mr34-jqr8: NocoDB SQL Injection vulnerability
Summary
An authenticated attacker with create access could conduct a SQL Injection attack on MySQL DB using unescaped table_name.
Details
SQL Injection vulnerability occurs in VitessClient.ts.
async columnList(args: any = {}) {
const func = this.columnList.name;
const result = new Result();
log.api(`${func}:args:`, args);
try {
args.databaseName = this.connectionConfig.connection.database;
const response = await this.sqlClient.raw(
`select *, table_name as tn from information_schema.columns where table_name = '${args.tn}' ORDER by ordinal_position`,
);
The variable ${args.tn} refers to the table name entered by the user. A malicious attacker can escape the existing query by including a special character (') in the table name and insert and execute a new arbitrary SQL query.
Impact
This vulnerability may result in leakage of sensitive data in the database.
Summary
An authenticated attacker with create access could conduct a SQL Injection attack on MySQL DB using unescaped table_name.
Details
SQL Injection vulnerability occurs in VitessClient.ts.
async columnList(args: any = {}) { const func = this.columnList.name; const result = new Result(); log.api(`${func}:args:`, args);
try {
args.databaseName \= this.connectionConfig.connection.database;
const response \= await this.sqlClient.raw(
\`select \*, table\_name as tn from information\_schema.columns where table\_name = '${args.tn}' ORDER by ordinal\_position\`,
);
The variable ${args.tn} refers to the table name entered by the user.
A malicious attacker can escape the existing query by including a special character (') in the table name and insert and execute a new arbitrary SQL query.
Impact
This vulnerability may result in leakage of sensitive data in the database.
References
- GHSA-8fxg-mr34-jqr8