Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
text-generation-webui allows arbitrary file read via symbolic link upload
Vulnerability Description
text-generation-webui is an open-source web interface for running Large Language Models. In versions through 3.13, a Local File Inclusion vulnerability exists in the character picture upload feature. An attacker can upload a text file containing a symbolic link to an arbitrary file path. When the application processes the upload, it follows the symbolic link and serves the contents of the targeted file through the web interface. This allows an unauthenticated attacker to read sensitive files on the server, potentially exposing system configurations, credentials, and other confidential information. This vulnerability is fixed in 3.14. No known workarounds exist.
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
在文件访问前对链接解析不恰当(链接跟随)
Vulnerability Title
Text Generation Web UI 后置链接漏洞
Vulnerability Description
Text Generation Web UI是oobabooga个人开发者的一个本地AI的UI界面。 Text Generation Web UI 3.13及之前版本存在后置链接漏洞,该漏洞源于字符图片上传功能存在本地文件包含漏洞,可能导致读取服务器敏感文件。
CVSS Information
N/A
Vulnerability Type
N/A