Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
WeKnora: Unauthorized Cross‑Tenant Knowledge Base Cloning
Vulnerability Description
WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.3.0, a cross-tenant authorization bypass in the knowledge base copy endpoint allows any authenticated user to clone (duplicate) another tenant’s knowledge base into their own tenant by knowing/guessing the source knowledge base ID. This enables bulk data exfiltration (document/FAQ content) across tenants. This issue has been patched in version 0.3.0.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
通过用户控制密钥绕过授权机制
Vulnerability Title
Tencent WeKnora 安全漏洞
Vulnerability Description
Tencent WeKnora是中国腾讯(Tencent)公司的一个基于LLM的框架,具有使用RAG范式进行深度文档理解、语义检索和上下文感知答案等功能。 Tencent WeKnora 0.3.0之前版本存在安全漏洞,该漏洞源于知识库复制端点存在跨租户授权绕过,可能导致跨租户数据渗漏。
CVSS Information
N/A
Vulnerability Type
N/A