GHSA-qhxg-623c-cfjm
NocoDB: Plaintext Password Comparison in Shared Views
상세
### Summary The shared-view password check fell back to strict-equality (`===`) comparison for legacy plaintext passwords, leaking the password's length and per-character prefix through response timing.
### Details The bcrypt branch (hashes starting with `$2a$`/`$2b$`) was unaffected. The legacy fallback in `View.ts` now uses `crypto.timingSafeEqual` and a same-length dummy compare on the length-mismatch path, so total comparison time is approximately length-independent. The EE dashboard model's `verifyPassword` is patched the same way.
### Impact A network-positioned attacker could mount a timing oracle against shared views whose passwords predated the bcrypt migration. Exploitation requires the ability to time shared-view authentication responses but no prior authentication.
### Credit This issue was reported by [@Proscan-one](https://github.com/Proscan-one).
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.