Budibase is an open-source low-code platform. Prior to version 3.33.4, an unauthenticated attacker can achieve Remote Code Execution (RCE) on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is required to trigger the exploit.
The process executes as root inside the container. This issue has been patched in version 3.33.4.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
High
Difficult to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service
CVSS Vector v3.1
Weakness Type (CWE)
References 4
https://github.com/Budibase/budibase/commit/f0c731b409a96e401445a6a6030d2994ff4…
security-advisories@github.com
https://github.com/Budibase/budibase/pull/18238
security-advisories@github.com
https://github.com/Budibase/budibase/releases/tag/3.33.4
security-advisories@github.com
https://github.com/Budibase/budibase/security/advisories/GHSA-fcm4-4pj2-m5hf
security-advisories@github.com