Compliance Impact

The vulnerability allows authenticated users to perform server-side requests to internal network addresses, potentially accessing sensitive internal services and cloud metadata endpoints such as AWS IAM credentials and GCP service tokens.

Such unauthorized access and potential data exfiltration could lead to breaches of confidentiality and unauthorized disclosure of sensitive information, which may impact compliance with data protection regulations like GDPR and HIPAA.

Specifically, if personal or protected health information is exposed or accessed through this vulnerability, it could result in non-compliance with these standards, leading to legal and financial consequences.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for server-side requests initiated by the vulnerable Budibase automation step that target internal network addresses. Since the issue involves the processUrlFile function making fetch requests without IP blacklist validation, detection involves identifying unusual or unauthorized internal network requests originating from the Budibase server.

One approach is to analyze Budibase server logs or network traffic for requests to internal IP ranges (such as 127.0.0.1, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) that are triggered by authenticated users with builder permissions.

Suggested commands to help detect exploitation attempts or presence of this vulnerability include:

• Using network monitoring tools like tcpdump or tshark to capture outgoing requests from the Budibase server to internal IP ranges, for example: tcpdump -i <interface> src host <budibase-server-ip> and dst net 10.0.0.0/8
• Checking Budibase server logs for automation executions that include URLs pointing to internal IP addresses.
• Using grep or similar tools to search source code or deployed files for the vulnerable function usage, e.g., grep -r 'fetch(fileUrl)' packages/server/src/automations/steps/ai/extract.ts
• Verifying the Budibase version to ensure it is 3.34.8 or later, as versions prior to this are vulnerable.

Useful 0 Not Useful 0

Executive Summary

This vulnerability exists in Budibase, an open-source low-code platform, in versions prior to 3.34.8. The issue is in the processUrlFile function, which uses fetch(fileUrl) without applying the IP blacklist validation that other automation steps use. This means an authenticated user can make the server send requests to internal network addresses, potentially accessing internal resources that should be protected.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability allows an authenticated user to trigger server-side requests to internal network addresses. This can lead to unauthorized access to internal systems or services that are not exposed externally, potentially exposing sensitive information or enabling further attacks within the internal network.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Budibase to version 3.34.8 or later, where the issue with processUrlFile function using fetch without IP blacklist validation has been fixed.

Useful 0 Not Useful 0