Lucene search

[email protected]NVD:CVE-2024-36420

HistoryJul 01, 2024 - 4:15 p.m.

CVE-2024-36420

2024-07-0116:15:04

CWE-74

[email protected]

web.nvd.nist.gov

flowise

large language model

file read vulnerability

index.ts

api endpoint

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

36.2%

JSON

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, the /api/v1/openai-assistants-file endpoint in index.ts is vulnerable to arbitrary file read due to lack of sanitization of the fileName body parameter. No known patches for this issue are available.

Affected configurations

Nvd

Node

flowiseaiflowiseMatch1.4.3

VendorProductVersionCPE
flowiseaiflowise1.4.3cpe:2.3:a:flowiseai:flowise:1.4.3:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
flowiseai	flowise	1.4.3	cpe:2.3:a:flowiseai:flowise:1.4.3:::::::*

References

github.com/FlowiseAI/Flowise/blob/e93ce07851cdc0fcde12374f301b8070f2043687/packages/server/src/index.ts#L982

securitylab.github.com/advisories/GHSL-2023-232_GHSL-2023-234_Flowise/

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

36.2%

JSON

Related for NVD:CVE-2024-36420

cvelist1 osv2 cve1 github1 vulnrichment1 veracode1