Miggo Logo
Miggo Vulnerability Database
CVE-2022-3225

CVE-2022-3225: Budibase Improper Access Control vulnerability

5.7

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-3225
GHSA ID
GHSA-x92g-49gh-63qm
EPSS Score
0.28883%
CWE
CWE-284
Published
9/17/2022
Updated
8/3/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
@budibase/workernpm< 1.3.201.3.20
@budibase/buildernpm< 1.3.201.3.20
@budibase/bbuinpm< 1.3.201.3.20

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The primary vulnerability stems from the updateSelf() function's lack of input validation, allowing privilege escalation via arbitrary field updates (CWE-284). The buildQueryString() function's handling of encoded bindings shows evidence of dynamic code resource control issues (CWE-913), though its direct exploit path is less clear. The patch added field whitelisting (sanitiseUserUpdate) and binding-aware encoding to address these respectively.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Improp*r ****ss *ontrol in *it*u* r*pository *u*i**s*/*u*i**s* prior to *.*.**.

Reasoning

T** prim*ry vuln*r**ility st*ms *rom t** `up**t*S*l*()` *un*tion's l**k o* input v*li**tion, *llowin* privil*** *s**l*tion vi* *r*itr*ry *i*l* up**t*s (*W*-***). T** `*uil*Qu*ryStrin*()` *un*tion's **n*lin* o* *n*o*** *in*in*s s*ows *vi**n** o* *yn*m