CVE-2024-7048
CVSS V2 None
CVSS V3 None
Description
In version v0.3.8 of open-webui, an improper privilege management vulnerability exists in the API endpoints GET /api/v1/documents/ and POST /rag/api/v1/doc. This vulnerability allows a lower-privileged user to access and overwrite files managed by a higher-privileged admin. By exploiting this vulnerability, an attacker can view metadata of files uploaded by an admin and overwrite these files, compromising the integrity and availability of the RAG models.
Overview
- CVE ID
- CVE-2024-7048
- Assigner
- @huntr_ai
- Vulnerability Status
- PUBLISHED
- Published Version
- 2024-10-10T01:22:16.902Z
- Last Modified Date
- 2024-10-10T01:22:16.902Z
Weakness Enumerations
References
| Reference URL | Reference Tags |
|---|---|
| https://huntr.com/bounties/acd0b2dd-61eb-4712-82d3-a4e35d6ee560 |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2024-7048 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7048 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2024-10-10 13:17:05 | Added to TrackCVE |