Application allows large characters to insert in the input field "Add new table" on the create field which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request in in nocodb/nocodb

Valid

Reported on

Jul 7th 2022


Proof of Concept

Go to http://localhost:8080/dashboard/#/projects Select any created project and go to the project section. Click on the "ADD/IMPORT" section and click on "add new table" Create Fill the "table name" field with huge characters, (more than 1 lakh) Copy the below payload and put it in the input fields, and click on continue. You will see the application accepts large characters and if we will increase the characters then it can lead to Dos. ('It also affects the reflects on URL, So that large string in URL also blocks the user section)

Download the payload from here:

https://drive.google.com/file/d/13IK67Sx93nvnb_3gLUBDLgoEC7XTQiso/view?usp=sharing

Video & Image POC:

https://drive.google.com/file/d/1geJOi6lrl6gFQcwZ9ybeJhehU4NX9siL/view?usp=sharing

Patch recommendation:

The Project name input should be limited to 50 characters or a max of 100 characters.

Impact

It can lead to a denial of service attack

References

We are processing your report and will contact the nocodb team within 24 hours. 2 years ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists 2 years ago
nocodb/nocodb maintainer modified the report
2 years ago
nocodb/nocodb maintainer modified the report
2 years ago
We have contacted a member of the nocodb team and are waiting to hear back 2 years ago
nocodb/nocodb maintainer has acknowledged this report 2 years ago
nocodb/nocodb maintainer
2 years ago

Any updates ?

nocodb/nocodb maintainer
2 years ago

We're in midst of revamping the UI overall and we will be handling this.

nocodb/nocodb maintainer
2 years ago

Partially fixed the overflowing name in this https://github.com/nocodb/nocodb/pull/2646.

URL part will be fixed later.

nocodb/nocodb maintainer
2 years ago

@maintainer @admin - please confirm are you happy to assign a CVE ?

Jamie Slome
2 years ago

A CVE will automatically be assigned to this report 👍

nocodb/nocodb maintainer
a year ago

Any updates?

nocodb/nocodb maintainer
a year ago

@admin Vulnerability has been fixed and is it okay to assign CVE now ??

Pavlos
a year ago

Admin


Can you please provide the patch commit SHA? Unfortunately only the maintainer can apply for a CVE but I'm sure they'll see these comments and weigh in

nocodb/nocodb maintainer modified the Severity from High (8.2) to Medium (5.7) 5 months ago
nocodb/nocodb maintainer modified the CWE from Integer Overflow or Wraparound to Improper Input Validation 5 months ago
The researcher has received a minor penalty to their credibility for misclassifying the vulnerability type: -1
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
nocodb/nocodb maintainer validated this vulnerability 5 months ago
hisokix0 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
nocodb/nocodb maintainer marked this as fixed in 0.96.0 with commit db0385 5 months ago
The fix bounty has been dropped
This vulnerability has now been published 5 months ago
to join this conversation