GHSA-pqwr-phvv-v49f

Опубликовано: 20 мар. 2025

Источник: github

Github: Прошло ревью

CVSS3: 8.3

Описание

Open WebUI Allows Admin Deletion via API Endpoint

In open-webui/open-webui version v0.3.8, there is an improper privilege management vulnerability. The application allows an attacker, acting as an admin, to delete other administrators via the API endpoint http://0.0.0.0:8080/api/v1/users/{uuid_administrator}. This action is restricted by the user interface but can be performed through direct API calls.

Ссылки

Пакеты

Наименование

open-webui

pip

Затронутые версииВерсия исправления

<= 0.3.8

Отсутствует

EPSS

Процентиль: 26%

0.00092

Низкий

8.3 High

CVSS3

CVE ID

CVE-2024-7039

Дефекты

CWE-269

CWE-863

Связанные уязвимости

CVE-2024-7039

CVSS3: 6.7

nvd

11 месяцев назад

In open-webui/open-webui version v0.3.8, there is an improper privilege management vulnerability. The application allows an attacker, acting as an admin, to delete other administrators via the API endpoint `http://0.0.0.0:8080/api/v1/users/{uuid_administrator}`. This action is restricted by the user interface but can be performed through direct API calls.

EPSS

Процентиль: 26%

0.00092

Низкий

8.3 High

CVSS3

CVE ID

CVE-2024-7039

Дефекты

CWE-269

CWE-863