GHSA-h254-g997-685c

Опубликовано: 20 мар. 2025

Источник: github

Github: Прошло ревью

CVSS3: 7.5

Описание

FastChat Server-Side Request Forgery vulnerability

A Server-Side Request Forgery (SSRF) vulnerability exists in lm-sys/fastchat version 0.2.36. The vulnerability is present in the /queue/join? endpoint, where insufficient validation of the path parameter allows an attacker to send crafted requests. This can lead to unauthorized access to internal networks or the AWS metadata endpoint, potentially exposing sensitive data and compromising internal servers.

Ссылки

Пакеты

Наименование

fschat

pip

Затронутые версииВерсия исправления

<= 0.2.36

Отсутствует

EPSS

Процентиль: 35%

0.00146

Низкий

7.5 High

CVSS3

CVE ID

CVE-2024-11603

Дефекты

CWE-918

Связанные уязвимости

CVE-2024-11603

CVSS3: 7.5

nvd

11 месяцев назад

A Server-Side Request Forgery (SSRF) vulnerability exists in lm-sys/fastchat version 0.2.36. The vulnerability is present in the `/queue/join?` endpoint, where insufficient validation of the path parameter allows an attacker to send crafted requests. This can lead to unauthorized access to internal networks or the AWS metadata endpoint, potentially exposing sensitive data and compromising internal servers.

EPSS

Процентиль: 35%

0.00146

Низкий

7.5 High

CVSS3

CVE ID

CVE-2024-11603

Дефекты

CWE-918