Executive Summary

This vulnerability exists in Budibase, an open-source low-code platform, in versions prior to 3.38.1. The REST datasource integration component follows HTTP redirects without re-checking the IP blacklist. This allows an authenticated Builder user to access internal services, such as cloud metadata and databases, by redirecting requests through an attacker-controlled server.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can allow an authenticated user with Builder privileges to bypass IP blacklist protections and access internal services that should be restricted. This could lead to unauthorized access to sensitive internal resources like cloud metadata and databases, potentially exposing confidential information or enabling further attacks within the internal network.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Budibase to version 3.38.1 or later, where the issue has been fixed.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows authenticated users to bypass IP blacklist restrictions and access internal services such as cloud metadata endpoints and databases. This could lead to unauthorized access to sensitive data, including potentially personal or protected information.

Such unauthorized access and potential data exposure could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls on access to sensitive and personal data to protect confidentiality and privacy.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves an authenticated Budibase Builder creating a REST datasource that points to an attacker-controlled server which then redirects to internal services, bypassing IP blacklist checks.

To detect exploitation attempts on your system or network, monitor for unusual REST datasource creations or queries that involve HTTP redirects to suspicious or internal IP addresses.

You can also inspect Budibase server logs for REST datasource requests that follow redirects, especially those that access internal metadata or database endpoints.

While no specific commands are provided in the resources, general network and log inspection commands that may help include:

• Using network monitoring tools like tcpdump or Wireshark to capture HTTP traffic from Budibase server and look for redirect chains.
• Using grep or similar tools to search Budibase logs for REST datasource creation or query events involving URLs with redirects.
• Example command to check logs for redirect URLs (adjust path as needed): grep -i 'redirect' /path/to/budibase/logs/*
• Example tcpdump command to capture HTTP traffic on port 80 or 443: tcpdump -i any -A 'tcp port 80 or tcp port 443 and host <budibase-server-ip>'

Useful 0 Not Useful 0