Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Potential Insecure Direct Object Reference (IDOR) vulnerability in ragflow
Vulnerability Description
RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine based on deep document understanding. An authenticated user can exploit the Insecure Direct Object Reference (IDOR) vulnerability that may lead to unauthorized cross-tenant access (list tenant user accounts, add user account into other tenant). Unauthorized cross-tenant access: list user from other tenant (e.g., via GET /<tenant_id>/user/list), add user account to other tenant (POST /<tenant_id>/user). This issue has not yet been patched. Users are advised to reach out to the project maintainers to coordinate a fix.
CVSS Information
N/A
Vulnerability Type
通过用户控制密钥绕过授权机制
Vulnerability Title
RAGFlow 安全漏洞
Vulnerability Description
RAGFlow是InfiniFlow开源的一个基于深度文档理解的开源 RAG 引擎。 RAGFlow存在安全漏洞,该漏洞源于不安全的直接对象引用,导致未授权跨租户访问。
CVSS Information
N/A
Vulnerability Type
N/A