CVE-2023-35843

Name of the Vulnerable Software and Affected Versions NocoDB versions 0.106.0 and earlier NocoDB version 0.109.1

Description The issue is related to a path traversal vulnerability that allows an unauthenticated attacker to access arbitrary files on the server by manipulating the path parameter of the "/download" route. This could allow an attacker to access sensitive files and data on the server, including configuration files, source code, and other sensitive information. The vulnerability is associated with incorrect restriction of the directory path name with limited access, which could enable a remote attacker to gain unauthorized access to protected information.

Recommendations For NocoDB versions 0.106.0 and earlier: Update to a version later than 0.106.0 to resolve the issue. For NocoDB version 0.109.1: Update to a version later than 0.109.1 to resolve the issue. As a temporary workaround, consider restricting access to the /download route until a patch is available. Avoid using the path parameter in the affected /download route until the issue is resolved.