漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Authorization Bypass due to Incorrect Access Control in danny-avila/librechat
Vulnerability Description
danny-avila/librechat is affected by an authorization bypass vulnerability due to improper access control checks. The `checkAccess` function in `api/server/middleware/roles/access.js` uses `permissions.some()` to validate permissions, which incorrectly grants access if only one of multiple required permissions is present. This allows users with the 'USER' role to create agents despite having `CREATE: false` permission, as the check for `['USE', 'CREATE']` passes with just `USE: true`. This vulnerability affects other permission checks as well, such as `PROMPTS`. The issue is present in all versions prior to the fix.
CVSS Information
N/A
Vulnerability Type
访问控制不恰当
Vulnerability Title
LibreChat 访问控制错误漏洞
Vulnerability Description
LibreChat是Danny Avila个人开发者的一个增强的 ChatGPT 克隆。 LibreChat存在访问控制错误漏洞,该漏洞源于api/server/middleware/roles/access.js中的checkAccess函数使用permissions.some进行权限验证,导致访问控制不当,可能允许权限绕过。
CVSS Information
N/A
Vulnerability Type
N/A