漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Remote Code Execution in infiniflow/ragflow
Vulnerability Description
A vulnerability in infiniflow/ragflow versions v0.12.0 allows for remote code execution. The RPC server in RagFlow uses a hard-coded AuthKey 'authkey=b'infiniflow-token4kevinhu'' which can be easily fetched by attackers to join the group communication without restrictions. Additionally, the server processes incoming data using pickle deserialization via `pickle.loads()` on `connection.recv()`, making it vulnerable to remote code execution. This issue is fixed in version 0.14.0.
CVSS Information
N/A
Vulnerability Type
可信数据的反序列化
Vulnerability Title
RAGFlow 代码问题漏洞
Vulnerability Description
RAGFlow是InfiniFlow开源的一个基于深度文档理解的开源 RAG 引擎。 RAGFlow v0.12.0版本存在代码问题漏洞,该漏洞源于硬编码的AuthKey和pickle反序列化,可能导致远程代码执行。
CVSS Information
N/A
Vulnerability Type
N/A