CVE-2023-43794: 
JavaScript vulnerability analysis and mitigation

Nocodb, an open source Airtable alternative, was found to contain a SQL injection vulnerability (CVE-2023-43794) that affects version 0.109.2. The vulnerability allows an authenticated attacker with creator access to query the underlying database through specially crafted payloads. This security issue was discovered by Sylwia Budzynska from the GitHub Security Lab team and has been tracked as GHSL-2023-141. The vulnerability was addressed in version 0.111.0 (GitHub Advisory).

The vulnerability exists in the SqliteClient.ts component, specifically in the triggerList method which creates a SQL query using the user-controlled table_name parameter value from the tableCreate endpoint. The issue manifests as a blind SQL injection, where attackers can use time-based payloads to determine the success of their queries. The vulnerability has been assigned a CVSS v3.1 base score of 4.9 (Medium) by NVD and 6.5 (Medium) by GitHub, with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N (NVD, GitHub Advisory).

The vulnerability can lead to information disclosure, allowing attackers to reveal data present in the database. Through time-based injection techniques, attackers can determine whether their SQL queries return true or false based on the response time, effectively enabling them to extract sensitive information from the database (GitHub Lab).

Users are advised to upgrade to version 0.111.0 or later, which contains the fix for this vulnerability. There are no known workarounds for this vulnerability (GitHub Advisory).