Omkarparth

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.33.4 Description Budibase, an open-source low-code platform, prior to version 3.33.4, allows arbitrary command execution through the bash automation step. This occurs because user-provided commands are executed using `execSync` without sufficient sanitization or validation. User input is processed via `processStringSync`, which enables template interpolation, potentially leading to the execution of unintended commands. Recommendations Update Budibase to version 3.33.4 or later.

**Name of the Vulnerable Software and Affected Versions** Budibase versions prior to 3.23.22 **Description** Budibase is a low code platform that allows users to create internal tools, workflows, and admin panels. The PostgreSQL integration within Budibase constructs shell commands using user-controlled configuration values, such as the database name, host, and password, without adequate sanitization. Specifically, the password and other connection parameters are directly interpolated into a shell command within the `packages/server/src/integrations/postgres.ts` file (lines 529-531). An attacker who can control these database configuration values can inject shell commands. For example, manipulating the `password` or `database name` parameters could allow for arbitrary code execution, system compromise, and data exfiltration. The vulnerable code constructs a shell command using template literals, directly embedding the `this.config.password` value into the `PGPASSWORD` environment variable. **Recommendations** Versions prior to 3.23.22 should be updated. Use environment variables for sensitive values instead of command-line arguments. Validate and sanitize all configuration values. Use proper escaping for shell arguments. Consider using a PostgreSQL library's native dump functionality instead of shell commands. Use `execFile` with proper argument handling, as shown in the example fix, to avoid shell injection.