CVE-2023-35843: Arbitrary File Read in NocoDB

Summary

The NocoDB application version <= 0.106.1 has a path traversal vulnerability that allows an unauthenticated attacker to access arbitrary files on the server by manipulating the path parameter of the /download route. This vulnerability could allow an attacker to access sensitive files and data on the server, including configuration files, source code, and other sensitive information.

Description

The fileRead function is responsible for serving attachment files from the server. This function takes the path parameter from the request URL, appends it to a fixed path, and then utilizes the attachmentService to retrieve the attachment file based on the provided path parameter.

Details

fileRead Function

File /packages/nocodb/src/lib/controllers/attachment.ctl.ts:62-74:

export async function fileRead(req, res) {
  // ...
    const { img, type } = await attachmentService.fileRead({
      path: path.join('nc', 'uploads', req.params?.[0]),
    });

    res.writeHead(200, { 'Content-Type': type });
    res.end(img, 'binary');
  // ...
}

When a request is made to this function, it constructs the file path by combining the predetermined paths 'nc', 'uploads', and the value of the req.params?.[0] parameter. This parameter allows dynamic inclusion of the requested file’s path within the server’s directory structure.

Proof of Concept

An attacker can exploit this vulnerability by crafting a specially crafted URL containing a path parameter that includes directory traversal sequences such as ../. By including enough of these sequences, the attacker can traverse up the directory hierarchy and access files outside of the intended directory. In the steps to reproduce below, an attacker can access the /etc/passwd file by traversing up several levels from the nc/uploads directory.

Steps to Reproduce

Send a GET request to the following URL: http://localhost/download/..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd. The server will respond with the contents of the /etc/passwd file.

Impact

This vulnerability allows an unauthenticated attacker to access sensitive files on the server, leading to potential information disclosure.

Timeline

• 12 Apr 2023: Vulnerability reported thru huntr.dev platform.
• 13 Apr 2023: The huntr team contacted NocoDB team.
• 13 May 2023: Report staled.
• 03 Jun 2023: Request a CVE ID to MITRE CNA.
• 19 Jun 2023: CVE-2023-35843 was assigned.
• 19 Jun 2023: Advisory published.

References

• /packages/nocodb/src/lib/controllers/attachment.ctl.ts:62-74