GHSA-227r-w5j2-6243

Опубликовано: 20 мар. 2025

Источник: github

Github: Прошло ревью

CVSS3: 9.1

Описание

InvokeAI Arbitrary File Deletion vulnerability

In invoke-ai/invokeai version v5.0.2, the web API POST /api/v1/images/delete is vulnerable to Arbitrary File Deletion. This vulnerability allows unauthorized attackers to delete arbitrary files on the server, potentially including critical or sensitive system files such as SSH keys, SQLite databases, and configuration files. This can impact the integrity and availability of applications relying on these files.

Ссылки

Пакеты

Наименование

InvokeAI

pip

Затронутые версииВерсия исправления

< 5.3.0rc1

5.3.0rc1

EPSS

Процентиль: 74%

0.00882

Низкий

9.1 Critical

CVSS3

CVE ID

CVE-2024-11042

Дефекты

CWE-20

CWE-22

Связанные уязвимости

CVE-2024-11042

CVSS3: 9.1

nvd

4 месяца назад

In invoke-ai/invokeai version v5.0.2, the web API `POST /api/v1/images/delete` is vulnerable to Arbitrary File Deletion. This vulnerability allows unauthorized attackers to delete arbitrary files on the server, potentially including critical or sensitive system files such as SSH keys, SQLite databases, and configuration files. This can impact the integrity and availability of applications relying on these files.

EPSS

Процентиль: 74%

0.00882

Низкий

9.1 Critical

CVSS3

CVE ID

CVE-2024-11042

Дефекты

CWE-20

CWE-22