Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
WeKnora: DNS Rebinding Vulnerability in web_fetch Tool Allows SSRF to Internal Resources
Vulnerability Description
WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.3.0, a DNS rebinding vulnerability in the web_fetch tool allows an unauthenticated attacker to bypass URL validation and access internal resources on the server, including private IP addresses (e.g., 127.0.0.1, 192.168.x.x). By crafting a malicious domain that resolves to a public IP during validation and subsequently resolves to a private IP during execution, an attacker can access sensitive local services and potentially exfiltrate data. This issue has been patched in version 0.3.0.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
服务端请求伪造(SSRF)
Vulnerability Title
Tencent WeKnora 代码问题漏洞
Vulnerability Description
Tencent WeKnora是中国腾讯(Tencent)公司的一个基于LLM的框架,具有使用RAG范式进行深度文档理解、语义检索和上下文感知答案等功能。 Tencent WeKnora 0.3.0之前版本存在代码问题漏洞,该漏洞源于web_fetch工具存在DNS重绑定,可能导致访问服务器内部资源。
CVSS Information
N/A
Vulnerability Type
N/A