漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Collection of internally resolving IPs
Vulnerability Description
Should an instance of AnythingLLM be hosted on an internal network and the attacked be explicitly granted a permission level of manager or admin, they could link-scrape internally resolving IPs of other services that are on the same network as AnythingLLM. This would require the attacker also be able to guess these internal IPs as `/*` ranging is not possible, but could be brute forced. There is a duty of care that other services on the same network would not be fully open and accessible via a simple CuRL with zero authentication as it is not possible to set headers or access via the link collector.
CVSS Information
N/A
Vulnerability Type
服务端请求伪造(SSRF)
Vulnerability Title
AnythingLLM 代码问题漏洞
Vulnerability Description
AnythingLLM是符合业务要求的文档聊天机器人。 AnythingLLM存在代码问题漏洞。攻击者利用该漏洞可以升级权限,从而暴力破解与 AnythingLLM 位于同一网络上的其他服务的 IP。
CVSS Information
N/A
Vulnerability Type
N/A