Executive Summary

This vulnerability exists in Budibase, an open-source low-code platform, prior to version 3.35.3. The issue is with the VectorDB configuration endpoint, which accepts a host parameter without validating it against internal IP ranges, reserved hostnames, or URL schemes.

As a result, any authenticated user with builder-level access can supply an arbitrary host value such as 169.254.169.254 or localhost. This causes the server to initiate outbound TCP connections to internal network addresses or cloud metadata endpoints on behalf of the user.

This vulnerability was fixed in version 3.35.3.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an authenticated user with builder-level access to make the server initiate outbound TCP connections to internal network addresses or cloud metadata endpoints.

This could potentially lead to unauthorized access to internal resources, exposure of sensitive information, or exploitation of internal services that are not normally accessible externally.

Useful 0 Not Useful 0

Mitigation Strategies

The vulnerability is fixed in Budibase version 3.35.3. To mitigate this vulnerability, you should upgrade your Budibase installation to version 3.35.3 or later.

Useful 0 Not Useful 0

Compliance Impact

This SSRF vulnerability in Budibase allows authenticated users with builder-level access to make the server initiate outbound connections to internal network addresses or cloud metadata endpoints. In cloud environments, this can lead to exposure of sensitive credentials or instance identity documents, potentially enabling privilege escalation or lateral movement within the network.

Such unauthorized access or exposure of sensitive internal resources and credentials could result in violations of data protection and security requirements mandated by common standards and regulations like GDPR or HIPAA, which require strict controls over access to sensitive data and infrastructure.

Therefore, if exploited, this vulnerability could negatively impact compliance by enabling attackers to access or exfiltrate sensitive information, undermining confidentiality and integrity controls required by these regulations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unusual outbound TCP connections initiated by the Budibase server to internal IP addresses, reserved hostnames, or cloud metadata endpoints such as 169.254.169.254.

Since the vulnerability is exploited by sending an authenticated API request to the VectorDB configuration endpoint with an arbitrary host parameter, detection can involve inspecting logs for such requests or network traffic for unexpected outbound connections.

• Use network monitoring tools (e.g., tcpdump or Wireshark) to capture outbound connections from the Budibase server to internal IP ranges or metadata service IPs.
• Example tcpdump command to monitor outbound connections to internal IPs: tcpdump -i <interface> src host <budibase-server-ip> and dst net 169.254.0.0/16
• Check Budibase server logs or API access logs for authenticated requests to the VectorDB configuration endpoint containing suspicious host parameters such as 'localhost' or '169.254.169.254'.

Useful 0 Not Useful 0