Mitigation Strategies

To mitigate this vulnerability, you should upgrade Budibase to version 3.35.4 or later, where the issue has been fixed.

Useful 0 Not Useful 0

Executive Summary

This vulnerability exists in Budibase, an open-source low-code platform, in versions prior to 3.35.4. The issue arises because certain route pattern matching functions compile unanchored regular expressions that test against the full request URL, including the query string. The CSRF middleware uses this matching system to decide whether to skip CSRF token validation. An unauthenticated attacker can exploit this by injecting a public route pattern into the query string, causing the middleware to skip CSRF validation entirely.

As a result, the attacker can perform state-changing cross-origin requests against any Worker API endpoint without a valid CSRF token.

• Sending admin invites
• Modifying global configuration
• Managing users

This vulnerability was fixed in Budibase version 3.35.4.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an unauthenticated attacker to bypass CSRF token validation and perform unauthorized state-changing actions on the Budibase Worker API endpoints.

• Attackers can send admin invites without permission.
• Attackers can modify global configuration settings.
• Attackers can manage users, potentially adding or removing users or changing user roles.

Overall, this can lead to unauthorized administrative control and compromise of the system's integrity.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an unauthenticated attacker to bypass CSRF token validation and perform unauthorized state-changing actions such as managing users and modifying global configuration. This can lead to unauthorized access and modification of sensitive data.

Such unauthorized access and data modification could potentially impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and changes.

However, the provided information does not explicitly state the direct impact on compliance with these regulations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unusual or suspicious HTTP requests that include query strings injecting public route patterns, which cause the CSRF middleware to skip token validation.

Specifically, you can look for requests where the query string contains paths resembling internal API endpoints, such as "/api/global/auth/evil" or other public route patterns injected into the URL.

A practical approach is to analyze web server or application logs for requests with query parameters that match known public routes or patterns that should not appear in query strings.

Example commands to detect such suspicious requests include:

• Using grep on access logs to find query strings containing API paths: grep -E '\?[^ ]*/api/global/' /path/to/access.log
• Using curl or similar tools to test if the application improperly skips CSRF validation by crafting requests like: curl -X POST 'https://your-budibase-instance/api/global/users/invite?x=/api/global/auth/evil' -b 'session_cookie'
• Implementing network monitoring or intrusion detection rules to flag HTTP requests with query parameters containing suspicious route patterns.

Useful 0 Not Useful 0