Описание
BackendAI Missing Authentication for Critical Function
Missing Authentication in the registration feature of Lablup's BackendAI allows arbitrary users to create user accounts that can access private data even when registration is disabled.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2025-49652
- https://github.com/lablup/backend.ai/commit/37fc8f70f9bad2dd01fe2e288f9006e96f9914ed
- https://github.com/lablup/backend.ai/commit/b6d3ddd9e285a7ce59722a37585b9298681eb82f
- https://github.com/lablup/backend.ai/commit/d7704f506e319acff205d91bfca6e2ca92939983
- https://hiddenlayer.com/sai_security_advisor/2025-05-backendai-49653
- https://hiddenlayer.com/sai_security_advisor/2025-06-backendai
Пакеты
Наименование
backend.ai
pip
Затронутые версииВерсия исправления
< 25.15.6
25.15.6
Наименование
backend.ai
pip
Затронутые версииВерсия исправления
>= 25.16.0rc1, < 25.19.0rc1
25.19.0rc1
Связанные уязвимости
CVSS3: 9.8
nvd
8 месяцев назад
Missing Authentication in the registration feature of Lablup's BackendAI allows arbitrary users to create user accounts that can access private data even when registration is disabled.