Miggo Logo
Miggo Vulnerability Database
CVE-2022-2063

CVE-2022-2063: Improper Privilege Management in NocoDB

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-2063
GHSA ID
GHSA-fq4h-m3c8-8m2v
EPSS Score
0.76225%
CWE
CWE-269
Published
6/14/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
nocodbnpm< 0.91.80.91.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from user context being improperly included in webhook template processing. The patch removes all user parameter references from:

  1. parseBody's function signature and template context
  2. axiosRequestMake's parameter handling
  3. invokeWebhook's notification payload construction
  4. Documentation about user variables in webhooks.md This demonstrates these functions were responsible for exposing privileged user information through webhook contexts, violating least-privilege principles. The high confidence comes from direct evidence in commit diffs showing user data flow removal from these specific functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Improp*r Privil*** M*n***m*nt in *it*u* r*pository no*o**/no*o** prior to *.**.*.

Reasoning

T** vuln*r**ility st*ms *rom us*r *ont*xt **in* improp*rly in*lu*** in w***ook t*mpl*t* pro**ssin*. T** p*t** r*mov*s *ll us*r p*r*m*t*r r***r*n**s *rom: *. p*rs**o*y's *un*tion si*n*tur* *n* t*mpl*t* *ont*xt *. *xiosR*qu*stM*k*'s p*r*m*t*r **n*lin*