GHSA-h997-3fxj-p5j8

Опубликовано: 05 авг. 2024

Источник: github

Github: Прошло ревью

CVSS4: 8.7

CVSS3: 7.5

Описание

Flowise Path Injection at /api/v1/openai-assistants-file

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, the /api/v1/openai-assistants-file endpoint in index.ts is vulnerable to arbitrary file read due to lack of sanitization of the fileName body parameter. No known patches for this issue are available.

Ссылки

Пакеты

Наименование

flowise

npm

Затронутые версииВерсия исправления

<= 1.4.3

Отсутствует

EPSS

Процентиль: 49%

0.00259

Низкий

8.7 High

CVSS4

7.5 High

CVSS3

CVE ID

CVE-2024-36420

Дефекты

CWE-74

Связанные уязвимости

CVE-2024-36420

CVSS3: 7.5

nvd

больше 1 года назад

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, the `/api/v1/openai-assistants-file` endpoint in `index.ts` is vulnerable to arbitrary file read due to lack of sanitization of the `fileName` body parameter. No known patches for this issue are available.

EPSS

Процентиль: 49%

0.00259

Низкий

8.7 High

CVSS4

7.5 High

CVSS3

CVE ID

CVE-2024-36420

Дефекты

CWE-74