Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
NocoBase: Sensitive Data Exposure via SQL Blacklist Bypass
Vulnerability Description
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. In 2.0.59 and earlier, NocoBase @nocobase/plugin-collection-sql used the checkSQL() function in packages/plugins/@nocobase/plugin-collection-sql/src/server/utils.ts with an incomplete keyword blacklist that did not restrict PostgreSQL system catalog tables such as pg_shadow, pg_roles, and pg_stat_activity, allowing an admin-role user to read password hashes and database metadata through the SQL Collection feature. This vulnerability is fixed in 2.1.0-alpha.46.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Vulnerability Type
不完整的黑名单
Vulnerability Title
Nocobase 输入验证错误漏洞
Vulnerability Description
Nocobase是NocoBase公司开源的一个低代码平台。 NocoBase 2.1.0-alpha.46之前版本存在安全漏洞,该漏洞源于SQL Collection功能的checkSQL()函数使用了不完整的关键词黑名单,未限制PostgreSQL系统目录表,允许admin角色用户读取密码哈希值和数据库元数据。
CVSS Information
N/A
Vulnerability Type
N/A