CVE-2023-35843: Arbitrary File Read in NocoDB
Summary
The NocoDB application version <= 0.106.1 has a path traversal vulnerability that allows an unauthenticated attacker to access arbitrary files on the server by manipulating the path
parameter of the /download
route. This vulnerability could allow an attacker to access sensitive files and data on the server, including configuration files, source code, and other sensitive information.
Description
The fileRead
function is responsible for serving attachment files from the server. This function takes the path
parameter from the request URL, appends it to a fixed path, and then utilizes the attachmentService
to retrieve the attachment file based on the provided path parameter.
Details
fileRead
Function
File /packages/nocodb/src/lib/controllers/attachment.ctl.ts:62-74
:
export async function fileRead(req, res) {
// ...
const { img, type } = await attachmentService.fileRead({
path: path.join('nc', 'uploads', req.params?.[0]),
});
res.writeHead(200, { 'Content-Type': type });
res.end(img, 'binary');
// ...
}
When a request is made to this function, it constructs the file path by combining the predetermined paths 'nc', 'uploads'
, and the value of the req.params?.[0]
parameter. This parameter allows dynamic inclusion of the requested file’s path within the server’s directory structure.
Proof of Concept
An attacker can exploit this vulnerability by crafting a specially crafted URL containing a path parameter that includes directory traversal sequences such as ../
. By including enough of these sequences, the attacker can traverse up the directory hierarchy and access files outside of the intended directory. In the steps to reproduce below, an attacker can access the /etc/passwd
file by traversing up several levels from the nc/uploads
directory.
Steps to Reproduce
Send a GET request to the following URL: http://localhost/download/..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
. The server will respond with the contents of the /etc/passwd file.
Impact
This vulnerability allows an unauthenticated attacker to access sensitive files on the server, leading to potential information disclosure.
Timeline
- 12 Apr 2023: Vulnerability reported thru huntr.dev platform.
- 13 Apr 2023: The huntr team contacted NocoDB team.
- 13 May 2023: Report staled.
- 03 Jun 2023: Request a CVE ID to MITRE CNA.
- 19 Jun 2023: CVE-2023-35843 was assigned.
- 19 Jun 2023: Advisory published.