Miggo Logo
Miggo Vulnerability Database
CVE-2022-3423

CVE-2022-3423: NocoDB vulnerable to Denial of Service

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-3423
GHSA ID
GHSA-grv6-m753-3w2g
EPSS Score
0.78877%
CWE
CWE-400
Published
10/7/2022
Updated
7/21/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
nocodbnpm< 0.92.00.92.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from missing input validation on the 'New Project' field. The patch adds length validation (max 50 chars) to these form handling components. The files shown in the diff (CreateOrEditProject.vue, id.vue, xcdb.vue) all modified their validation rules from simple presence checks to include length restrictions, indicating these were the vulnerable points where unbounded input could be submitted. The CWE mapping to 'Uncontrolled Resource Consumption' (CWE-400) and 'Allocation of Resources Without Limits' (CWE-770) directly correlates with missing input size validation in project creation workflows.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

No*o** prior to *.**.* *llows **tors to ins*rt l*r** ***r**t*rs into t** input *i*l* `N*w Proj**t` on t** *r**t* *i*l*, w*i** **n **us* * **ni*l o* S*rvi** (*oS) vi* * *r**t** *TTP r*qu*st. V*rsion *.**.* *ix*s t*is issu*.

Reasoning

T** vuln*r**ility st*mm** *rom missin* input v*li**tion on t** 'N*w Proj**t' *i*l*. T** p*t** ***s l*n*t* v*li**tion (m*x ** ***rs) to t**s* *orm **n*lin* *ompon*nts. T** *il*s s*own in t** *i** (`*r**t*Or**itProj**t.vu*`, `i*.vu*`, `x***.vu*`) *ll m