Budibase Command Injection Vulnerability in Bash Automation Step

A command injection vulnerability has been identified in Budibase, an open-source low-code platform, in versions prior to 3.33.4. The issue arises in the bash automation step, where user-provided commands are executed using execSync without adequate sanitization or validation. This flaw allows for arbitrary command execution, as user input can be processed through processStringSync, which enables template interpolation. An attacker with access to create or modify automations could exploit this by injecting malicious shell commands that are executed on the server.

Impact

Exploitation of this vulnerability allows for remote code execution, leading to complete system compromise, data exfiltration, and potential lateral movement within the infrastructure.

Remediation

Users are advised to update to Budibase version 3.33.4 or later. In addition, it is recommended to disable the bash automation step in production until the vulnerability has been addressed. For those who have already updated, consider implementing a whitelist of allowed commands, using parameterized command execution with proper escaping, validating command arguments, and adding rate limiting and monitoring for command execution.