CVE-2023-43794

Name of the Vulnerable Software and Affected Versions Nocodb versions prior to 0.111.0

Description Nocodb is an open source Airtable alternative. Affected versions of Nocodb contain a SQL injection vulnerability, that allows an authenticated attacker with creator access to query the underlying database. By supplying a specially crafted payload to the tableCreate endpoint, an attacker can inject arbitrary SQL queries to be executed. Since this is a blind SQL injection, an attacker may need to use time-based payloads which would include a function to delay execution for a given number of seconds. The response time indicates, whether the result of the query execution was true or false. Depending on the result, the HTTP response will be returned after a given number of seconds, indicating TRUE, or immediately, indicating FALSE. In that way, an attacker can reveal the data present in the database. The triggerList method creates a SQL query using the user-controlled table name parameter value.

Recommendations For versions prior to 0.111.0, upgrade to version 0.111.0 or later to address the SQL injection vulnerability. As a temporary workaround, consider restricting access to the tableCreate endpoint and the triggerList method until a patch is available. Avoid using the table name parameter in the affected endpoint until the issue is resolved.