js · @budibase/serverCritical
@budibase/server <=3.39.0 JSON Injection Vulnerability in PUBLIC Queries
A security vulnerability in Budibase server <=3.
What changed
A security vulnerability in Budibase server <=3.39.0 allows unauthenticated attackers to read or modify all documents in backing databases via JSON injection in PUBLIC queries.
Who it affects
Any Budibase deployment where a workspace builder has set a non-SQL query (MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or REST with bodyType=json) role to PUBLIC and published the app.
What to do today
Upgrade Budibase server to a patched version immediately; if not available, restrict PUBLIC queries or disable them until a fix is applied.
The trail
Collected→
Audited→
Written→
Published