漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
RAGFlow: Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) in Agent "Text Processing" Component
Vulnerability Description
RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions 0.24.0 and prior, a Server-Side Template Injection (SSTI) vulnerability exists in RAGFlow's Agent workflow Text Processing (StringTransform) and Message components. These components use Python's jinja2.Template (unsandboxed) to render user-supplied templates, allowing any authenticated user to execute arbitrary operating system commands on the server. At time of publication, there are no publicly available patches.
CVSS Information
N/A
Vulnerability Type
输入验证不恰当
Vulnerability Title
RAGFlow 安全漏洞
Vulnerability Description
RAGFlow是InfiniFlow开源的一个基于深度文档理解的开源 RAG 引擎。 RAGFlow 0.24.0及之前版本存在安全漏洞,该漏洞源于Agent工作流Text Processing和Message组件使用未沙箱化的jinja2.Template渲染用户提供的模板,可能导致任何经过身份验证的用户在服务器上执行任意操作系统命令。
CVSS Information
N/A
Vulnerability Type
N/A