漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
GHSL-2023-234: Flowise Cors Misconfiguration in packages/server/src/index.ts
Vulnerability Description
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, A CORS misconfiguration sets the Access-Control-Allow-Origin header to all, allowing arbitrary origins to connect to the website. In the default configuration (unauthenticated), arbitrary origins may be able to make requests to Flowise, stealing information from the user. This CORS misconfiguration may be chained with the path injection to allow an attacker attackers without access to Flowise to read arbitrary files from the Flowise server. As of time of publication, no known patches are available.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
源验证错误
Vulnerability Title
Flowise 安全漏洞
Vulnerability Description
Flowise是一个用于轻松构建 LLM 应用程序的工具。 Flowise 1.4.3 版本存在安全漏洞,该漏洞源于跨域资源共享配置错误得将 Access-Control-Allow-Origin 标头设置为全部,允许任意来源连接到网站。在默认配置(未经身份验证)下,任意来源可能能够向 Flowise 发出请求,窃取用户信息。此 CORS 配置错误可能与路径注入相结合,允许攻击者(无需访问 Flowise)从 Flowise 服务器读取任意文件。
CVSS Information
N/A
Vulnerability Type
N/A