Executive Summary

This vulnerability exists in Budibase, an open-source low-code platform, specifically in versions prior to 3.38.1. The issue is in the V1 Views API (POST /api/views), which accepts a calculation parameter from the request body. This parameter is directly interpolated into a CouchDB reduce function definition without proper validation.

Although there is an internal SCHEMA_MAP object that defines valid calculation types (sum, count, stats), the application does not actually validate the input against this map before using it. As a result, a user with Builder permissions can inject arbitrary JavaScript code that will be executed within the CouchDB JavaScript engine when the view is queried.

This vulnerability allows code injection due to lack of input validation and improper handling of user-supplied data in the reduce function.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have significant impacts because it allows a user with Builder permissions to execute arbitrary JavaScript code within the CouchDB engine. This can lead to unauthorized actions such as data manipulation, data leakage, or disruption of service.

Since the vulnerability affects confidentiality and integrity (as indicated by the CVSS score with high impact on confidentiality and integrity), it could result in exposure or alteration of sensitive data.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade Budibase to version 3.38.1 or later, where the issue has been fixed.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker with Builder permissions to inject and execute arbitrary JavaScript code within the CouchDB engine, potentially leading to unauthorized data access and exfiltration.

Such unauthorized access and potential data exfiltration could compromise the confidentiality and integrity of sensitive data, which may impact compliance with data protection regulations and standards like GDPR and HIPAA that require strict controls over data access and protection.

However, the vulnerability is limited to users with Builder role permissions and does not allow filesystem or network access, which somewhat limits the scope of impact.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the Budibase V1 Views API (POST /api/views) accepting a calculation parameter that is not validated and is directly interpolated into a CouchDB reduce function. Detection involves identifying requests to this endpoint with suspicious or unexpected calculation parameter values.

To detect potential exploitation attempts or presence of this vulnerability, you can monitor HTTP POST requests to the /api/views endpoint and inspect the calculation parameter in the request body for unexpected or arbitrary JavaScript code.

Example commands to detect such activity might include:

• Using network traffic inspection tools like tcpdump or Wireshark to capture POST requests to /api/views.
• Using grep or similar tools on web server logs to find POST requests to /api/views containing the calculation parameter.
• Example grep command on access logs: grep -i 'POST /api/views' /var/log/nginx/access.log | grep 'calculation='
• If you have access to the Budibase server, review application logs for Builder role users making requests to the V1 Views API.

Note that no specific detection commands or tools are provided in the available resources, so detection relies on monitoring and analyzing requests to the vulnerable endpoint for suspicious calculation parameter values.

Useful 0 Not Useful 0