Executive Summary

This vulnerability exists in Budibase, an open-source low-code platform, prior to version 3.39.0. The issue arises because the single-datasource GET and PUT routes are protected only by a generic TABLE READ permission rather than more specific Builder/Admin permissions or datasource-specific ownership checks.

A user with the Basic app user role, which includes WRITE permissions, can read an existing REST datasource and receive redacted authentication configuration values. They can then submit an update that changes only the config.url while keeping the redacted placeholders intact.

During the update, the system restores the old stored secret when it detects the redaction placeholder. When the query executes, Budibase prefixes the attacker-controlled datasource config.url to the relative query path and applies the stored authentication headers. This leads to server-side disclosure of the builder-configured REST Authorization secret to an attacker-controlled listener.

This vulnerability was fixed in Budibase version 3.39.0.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive REST Authorization secrets configured in Budibase. An attacker with Basic user permissions can exploit this flaw to obtain these secrets by manipulating datasource configurations.

With access to these secrets, an attacker could potentially impersonate legitimate services or users, access protected resources, or perform unauthorized actions within the system or connected services.

The CVSS score of 8.1 indicates a high severity impact, with confidentiality and integrity being highly affected, though availability is not impacted.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Budibase to version 3.39.0 or later, where the issue has been fixed.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows Basic app users to exfiltrate stored REST datasource authentication credentials, potentially exposing sensitive API keys, tokens, or credentials. Such unauthorized disclosure of sensitive information can lead to violations of data protection and privacy regulations like GDPR and HIPAA, which mandate strict controls over access to and protection of confidential data.

Because the vulnerability impacts confidentiality and integrity by exposing authentication secrets to unauthorized users, it may result in non-compliance with standards requiring secure handling of sensitive information and access controls.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves monitoring for unauthorized or suspicious modifications to REST datasource configurations by Basic app users, especially changes to the datasource base URL that retain redacted authentication placeholders.

Network detection can focus on identifying outgoing requests from the Budibase server to unusual or attacker-controlled endpoints that may receive exfiltrated authentication secrets.

Suggested commands include:

• Use network monitoring tools like tcpdump or Wireshark to capture and analyze outgoing HTTP requests from the Budibase server, filtering for unusual destination IPs or domains.
• Example tcpdump command to capture HTTP traffic: sudo tcpdump -i any -A 'tcp port 80 or tcp port 443'
• Check Budibase application logs for PUT or GET requests to datasource endpoints that include changes to the config.url field.
• Use curl or similar tools to test if the Budibase instance allows Basic users to update datasource URLs and trigger saved queries, verifying if redacted placeholders are restored and secrets are leaked.

Useful 0 Not Useful 0