The NocoDB application allows large characters to insert in the input field "New Project" on the create field which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request in nocodb/nocodb
Reported on
Jun 16th 2022
Proof of Concept
Go to http://localhost:8080/dashboard/#/projects Click on New project and create Fill the "Enter project name" field with huge characters, (more than 1 lakh) Copy the below payload and put it in the input fields and click on continue. You will see the application accepts large characters and if we will increase the characters then it can lead to Dos.
Download the payload from here:
https://drive.google.com/file/d/13IK67Sx93nvnb_3gLUBDLgoEC7XTQiso/view?usp=sharing
Video & Image POC:
https://drive.google.com/drive/folders/1N6h02blexPhQyj4MdfyPwNTOmKEXIfMu?usp=sharing
Patch recommendation:
The Project name input should be limited to 50 characters or a max of 100 characters.
Impact
It can lead to a denial of service attack
Handled in below PR image.
docker run -d -p 8888:8080 nocodb/nocodb-timely:0.91.10-pr-2416-20220617-1132
Expected to be available in the next release.
We are happy to assign and publish a CVE if the maintainer is happy to do so as well.
@maintainer - are you happy with a CVE for this report?
The fix has been deployed. You may assign & publish a CVE.
@admin - maintainer is happy to assign the CVE, Please approve the CVE id @admin
I have started the CVE assignment process and it should be published shortly. Happy hunting:)