Lucene search

GoogleOSV:GHSA-P36R-QXGX-JQ2V

HistoryJun 17, 2024 - 10:28 p.m.

Lobe Chat API Key Leak

2024-06-1722:28:41

Google

osv.dev

authentication

api key

attack

url

frontend

backend

request

sso

server-side

version

whitelist

CVSS3

5.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

AI Score

6.9

Confidence

High

EPSS

Percentile

9.0%

JSON

Summary

If an attacker can successfully authenticate through SSO/Access Code, they can obtain the real backend API Key by modifying the base URL to their own attack URL on the frontend and setting up a server-side request.

Details

The attack process is described above.

PoC

Frontend:

Pass basic authentication (SSO/Access Code).
Set the Base URL to a private attack address.
Configure the request method to be a server-side request.
At the self-set attack address, retrieve the API Key information from the request headers.

Backend:

The LobeChat version allows setting the Base URL.
There is no outbound traffic whitelist.

Impact

All community version LobeChat users using SSO/Access Code authentication, tested on version 0.162.13.

References

github.com/lobehub/lobe-chat

github.com/lobehub/lobe-chat/security/advisories/GHSA-p36r-qxgx-jq2v

nvd.nist.gov/vuln/detail/CVE-2024-37895

CVSS3

5.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

AI Score

6.9

Confidence

High

EPSS

Percentile

9.0%

JSON

Related for OSV:GHSA-P36R-QXGX-JQ2V