Executive Summary

This vulnerability exists in Budibase, an open-source low-code platform, in versions prior to 3.39.0. The OAuth2 token fetch function uses a raw fetch call without Server-Side Request Forgery (SSRF) protection. While other outbound HTTP calls in the codebase use a safe wrapper called fetchWithBlacklist(), this was not applied to the OAuth2 token endpoint. As a result, a user with the BUILDER role can manipulate the OAuth2 token URL to point to internal services such as CouchDB or cloud metadata endpoints, potentially exfiltrating sensitive data.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability allows a user with BUILDER role privileges to perform SSRF attacks by redirecting the OAuth2 token fetch to internal services. This can lead to unauthorized access and exfiltration of sensitive internal data, such as database contents or cloud metadata, which could compromise the confidentiality of your system.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade Budibase to version 3.39.0 or later, where the OAuth2 token fetch function uses the safe wrapper fetchWithBlacklist() to prevent SSRF attacks.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows users with the BUILDER role to exfiltrate sensitive data such as OAuth2 client credentials and internal service information by exploiting SSRF in the OAuth2 token fetch function. The impact includes unauthorized access to internal services and cloud metadata, potentially leading to credential leakage and network reconnaissance.

Such unauthorized data access and leakage of sensitive credentials can negatively affect compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves Server-Side Request Forgery (SSRF) in Budibase's OAuth2 token fetch function, allowing an attacker with BUILDER role to cause the application to make unauthorized requests to internal services.

To detect exploitation attempts or presence of this vulnerability on your system or network, you can monitor for unusual outbound HTTP requests originating from the Budibase server to internal IP addresses or cloud metadata endpoints (e.g., 169.254.169.254).

• Use network monitoring tools or packet capture (e.g., tcpdump) to filter outbound HTTP requests to internal IP ranges or metadata service IPs.
• Check Budibase server logs for OAuth2 token fetch requests that contain unexpected or internal URLs.
• Example tcpdump command to capture suspicious outbound HTTP requests to internal IPs: sudo tcpdump -i <interface> tcp and dst net 169.254.0.0/16 or dst net 10.0.0.0/8 or dst net 172.16.0.0/12 or dst net 192.168.0.0/16 and port 80
• Use curl or similar tools to test the OAuth2 token endpoint with crafted URLs pointing to internal services to verify if SSRF protection is applied.

Useful 0 Not Useful 0