Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
IDOR in open-webui/open-webui
Vulnerability Description
In version v0.3.8 of open-webui, an improper privilege management vulnerability exists in the API endpoints GET /api/v1/documents/ and POST /rag/api/v1/doc. This vulnerability allows a lower-privileged user to access and overwrite files managed by a higher-privileged admin. By exploiting this vulnerability, an attacker can view metadata of files uploaded by an admin and overwrite these files, compromising the integrity and availability of the RAG models.
CVSS Information
N/A
Vulnerability Type
授权机制不正确
Vulnerability Title
Open WebUI 安全漏洞
Vulnerability Description
Open WebUI是Open WebUI开源的一个可扩展、功能丰富、用户友好的自托管 WebUI。 Open WebUI v0.3.8版本存在安全漏洞,该漏洞源于API 端点 GET /api/v1/documents/ 和 POST /rag/api/v1/doc 中权限管理不当。
CVSS Information
N/A
Vulnerability Type
N/A