Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Maliciously Crafted Model Archive Can Lead To Arbitrary File Write in rasa
Vulnerability Description
Rasa is an open source machine learning framework to automate text-and voice-based conversations. In affected versions a vulnerability exists in the functionality that loads a trained model `tar.gz` file which allows a malicious actor to craft a `model.tar.gz` file which can overwrite or replace bot files in the bot directory. The vulnerability is fixed in Rasa 2.8.10. For users unable to update ensure that users do not upload untrusted model files, and restrict CLI or API endpoint access where a malicious actor could target a deployed Rasa instance.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Vulnerability Title
Rasa 安全漏洞
Vulnerability Description
Rasa是一个开源机器学习框架,用于自动化基于文本和语音的对话。 Rasa 存在安全漏洞,该漏洞源于在受影响的版本中,上传了不受信任的模型文件。攻击者可利用该漏洞覆盖或替换bot目录中的bot文件。
CVSS Information
N/A
Vulnerability Type
N/A