Platform
nodejs
Component
nocodb
Fixed in
0.91.7+
CVE-2022-2063 describes an improper privilege management vulnerability discovered in NocoDB, a self-hosted Airtable alternative. This flaw allows attackers to potentially gain unauthorized access and modify data within the application. The vulnerability affects versions of NocoDB up to and including 0.91.7, and a patch is available in version 0.91.7 and later.
The improper privilege management flaw in NocoDB allows an attacker to bypass access controls and perform actions they are not authorized to do. This could include reading, modifying, or deleting sensitive data stored within the NocoDB instance. Depending on the data stored, this could lead to significant data breaches and compromise the integrity of the application. The impact is amplified if NocoDB is used to manage critical business data or sensitive user information. Successful exploitation could also lead to account takeover and further compromise of the underlying system.
CVE-2022-2063 was publicly disclosed on June 13, 2022. While no active exploitation campaigns have been definitively confirmed, the CRITICAL severity score and the ease of potential exploitation suggest a high likelihood of future attacks. No Proof of Concept (PoC) code has been publicly released, but the vulnerability's nature makes it likely that one will emerge. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
1.07% (78% percentile)
CVSS Vector
The primary mitigation for CVE-2022-2063 is to immediately upgrade NocoDB to version 0.91.7 or later. This patched version addresses the improper privilege management issue. If upgrading is not immediately feasible, consider implementing stricter access controls within NocoDB to limit the potential impact of the vulnerability. Review user permissions and ensure that users only have access to the data and functionality they require. Monitor NocoDB logs for any suspicious activity that might indicate an attempted exploitation.
Update NocoDB to version 0.91.7 or higher. This version fixes the improper privilege management vulnerability. The update can be performed through the package manager used to install NocoDB (e.g., npm or yarn).
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2022-2063 is a critical vulnerability in NocoDB versions up to 0.91.7 that allows unauthorized access and data modification due to improper privilege management.
Yes, if you are running NocoDB version 0.91.7 or earlier, you are affected by this vulnerability and should upgrade immediately.
Upgrade NocoDB to version 0.91.7 or later to patch the vulnerability. Review user permissions and implement stricter access controls if upgrading is not immediately possible.
While no confirmed active exploitation campaigns have been reported, the CRITICAL severity score suggests a high likelihood of future attacks.
Refer to the NocoDB security advisory on their GitHub repository: https://github.com/nocodb/nocodb/security/advisories/GHSA-949x-695x-747x
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.