The NocoDB application allows large characters to insert in the input field "New Project" on the create field which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request in nocodb/nocodb

Valid

Reported on

Jun 16th 2022


Proof of Concept

Go to http://localhost:8080/dashboard/#/projects Click on New project and create Fill the "Enter project name" field with huge characters, (more than 1 lakh) Copy the below payload and put it in the input fields and click on continue. You will see the application accepts large characters and if we will increase the characters then it can lead to Dos.

Download the payload from here:

https://drive.google.com/file/d/13IK67Sx93nvnb_3gLUBDLgoEC7XTQiso/view?usp=sharing

Video & Image POC:

https://drive.google.com/drive/folders/1N6h02blexPhQyj4MdfyPwNTOmKEXIfMu?usp=sharing

Patch recommendation:

The Project name input should be limited to 50 characters or a max of 100 characters.

Impact

It can lead to a denial of service attack

We are processing your report and will contact the nocodb team within 24 hours. 2 months ago
Arjun E modified the report
2 months ago
We have contacted a member of the nocodb team and are waiting to hear back 2 months ago
nocodb/nocodb maintainer
2 months ago

Maintainer


Handled in below PR image.

docker run -d -p 8888:8080 nocodb/nocodb-timely:0.91.10-pr-2416-20220617-1132

Expected to be available in the next release.

navi gave praise a month ago
Thank you for the report - we are looking debugging the issue
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
We have sent a follow up to the nocodb team. We will try again in 7 days. a month ago
nocodb/nocodb maintainer has acknowledged this report a month ago
Arjun E
a month ago

Researcher


Any updates?

nocodb/nocodb maintainer validated this vulnerability a month ago
Arjun E has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
nocodb/nocodb maintainer confirmed that a fix has been merged on 000ecd a month ago
The fix bounty has been dropped
Arjun E
a month ago

Researcher


@admin am I eligible to assign a CVE?

Jamie Slome
a month ago

Admin


We are happy to assign and publish a CVE if the maintainer is happy to do so as well.

@maintainer - are you happy with a CVE for this report?

Arjun E
6 days ago

Researcher


@maintainer - Any updates from your side ?

to join this conversation