{ "affected": [ { "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "3e154ba851e6a918b67a2e88738c11cc0ff25d5e" } ], "repo": "https://github.com/budibase/budibase", "type": "GIT" } ] } ], "aliases": [ "GHSA-9xg2-9mcv-985p" ], "database_specific": { "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-918" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/29xxx/CVE-2023-29010.json" }, "details": "Budibase is a low code platform for creating internal tools, workflows, and admin panels. Versions prior to 2.4.3 (07 March 2023) are vulnerable to Server-Side Request Forgery. This can lead to an attacker gaining access to a Budibase AWS secret key. Users of Budibase cloud need to take no action. Self-host users who run Budibase on the public internet and are using a cloud provider that allows HTTP access to metadata information should ensure that when they deploy Budibase live, their internal metadata endpoint is not exposed.", "id": "CVE-2023-29010", "modified": "2026-03-13T21:48:03.659137830Z", "published": "2023-04-06T16:02:18.684Z", "references": [ { "type": "WEB", "url": "https://github.com/Budibase/budibase/commits/develop?after=93d6939466aec192043d8ac842e754f65fdf2e8a+594\u0026branch=develop\u0026qualified_name=refs%2Fheads%2Fdevelop" }, { "type": "WEB", "url": "https://github.com/Budibase/budibase/releases/tag/v2.4.3" }, { "type": "ADVISORY", "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-9xg2-9mcv-985p" }, { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/29xxx/CVE-2023-29010.json" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29010" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "type": "CVSS_V3" } ], "summary": "BudiBase Server-Side Request Forgery vulnerability" }