CVE-2024-7037
CVSS V2 None
CVSS V3 None
Description
In version v0.3.8 of open-webui/open-webui, the endpoint /api/pipelines/upload is vulnerable to arbitrary file write and delete due to unsanitized file.filename concatenation with CACHE_DIR. This vulnerability allows attackers to overwrite and delete system files, potentially leading to remote code execution.
Overview
- CVE ID
- CVE-2024-7037
- Assigner
- @huntr_ai
- Vulnerability Status
- PUBLISHED
- Published Version
- 2024-10-09T19:52:21.784Z
- Last Modified Date
- 2024-10-09T19:52:21.784Z
Weakness Enumerations
References
Reference URL | Reference Tags |
---|---|
https://huntr.com/bounties/8508db68-9c99-4b1c-828c-e1bfcacfb847 |
Sources
Source Name | Source URL |
---|---|
NIST | https://nvd.nist.gov/vuln/detail/CVE-2024-7037 |
MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7037 |
History
Created | Old Value | New Value | Data Type | Notes |
---|---|---|---|---|
2024-10-10 13:18:10 | Added to TrackCVE |