CVE-2022-22120

Name of the Vulnerable Software and Affected Versions NocoDB versions 0.9 to 0.83.8

Description The issue concerns an Observable Discrepancy in the password-reset feature. When a password reset is requested for a given email address, the application displays an error message if the email is not registered within the system. This behavior allows attackers to enumerate the registered users' email addresses by observing the different responses to password reset requests for various email addresses.

Recommendations For NocoDB versions 0.9 to 0.83.8, consider temporarily modifying the password-reset feature to return a generic response for all password reset requests, regardless of whether the email address is registered or not, until a patch is available. Restrict access to the password-reset functionality to minimize the risk of exploitation.