CVE-2023-50718

Name of the Vulnerable Software and Affected Versions NocoDB versions prior to 0.202.10

Description The issue allows an authenticated attacker with create access to conduct a SQL Injection attack on MySQL DB using an unescaped table name. This may result in leakage of sensitive data in the database. The SQL Injection vulnerability occurs in the VitessClient.ts file, specifically in the columnList function, where the args.tn variable, referring to the table name entered by the user, is not properly sanitized. A malicious attacker can exploit this by including a special character in the table name to escape the existing query and execute a new arbitrary SQL query.

Recommendations For versions prior to 0.202.10, update to version 0.202.10 or later, which contains a patch for the issue. As a temporary workaround, consider restricting access to the columnList function in VitessClient.ts to minimize the risk of exploitation. Additionally, restrict the use of the args.tn variable in the affected SQL query until the issue is resolved.