CVE-2023-35843 — AI Deep Analysis Summary

🚨 **Essence**: NocoDB suffers from a **Path Traversal** vulnerability. 📂 💥 **Consequences**: Attackers can read **arbitrary files** on the server. This includes sensitive configs, source code, and private data. 😱

🛡️ **Root Cause**: **Path Traversal** flaw in the `/download` route. 📉 ⚠️ **Flaw**: The `path` parameter is not properly sanitized. 🚫 🔍 **CWE**: Not explicitly listed, but classic **Directory Traversal** (CWE-22).

🎯 **Affected**: **NocoDB** (Open-source Airtable alternative). 📊 📅 **Versions**: **0.106.0** and earlier. 🛑 🔧 **Components**: `attachments.controller.ts` handles the vulnerable logic. 📁

💀 **Hackers Can**: Access **ANY file** on the server. 📄 🔓 **Privileges**: Unauthenticated access. 🚪 📦 **Data Risk**: Config files, source code, secrets, and sensitive info. 🤫

📉 **Threshold**: **LOW**. 📉 🔑 **Auth**: **Unauthenticated**. No login needed! 🚫 ⚙️ **Config**: Just manipulate the `path` parameter in the `/download` route. 🎮

🔥 **Public Exp?**: **YES**. ✅ 📂 **PoCs**: Available on GitHub (e.g., Lserein, b3nguang). 💻 🤖 **Automated**: Nuclei templates exist for scanning. 🚀 🌍 **Wild Exp**: High risk of automated exploitation. ⚡

🔍 **Self-Check**: Scan for NocoDB instances. 🕵️‍♂️ 🧪 **Test**: Send request to `/download` with `path=../../etc/passwd`. 📝 📡 **Tools**: Use Nuclei or custom scripts to detect the flaw. 🛠️

🛠️ **Fixed?**: Yes, for versions **> 0.106.1**. ✅ 📦 **Patch**: Update NocoDB to the latest version. 🔄 📖 **Ref**: See GitHub commits for the fix in `attachment.ctl.ts`. 📜

🚧 **No Patch?**: **Mitigate**. 🛡️ 🚫 **Block**: Restrict access to `/download` route via WAF. 🧱 🔒 **Auth**: Force authentication if possible. 🔑 📉 **Limit**: Disable file download features if not needed. 📉

⚡ **Urgency**: **HIGH**. 🔴 🚨 **Priority**: Patch immediately! 🏃‍♂️ 📢 **Reason**: Unauthenticated, easy exploit, sensitive data at risk. 😱 📅 **Published**: June 2023, but still relevant for unpatched systems. 📆