漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
LibreChat's IDOR in SSE Stream Subscription Allows Reading Other Users' Chats
Vulnerability Description
LibreChat is a ChatGPT clone with additional features. In versions 0.8.2-rc2 through 0.8.2-rc3, the SSE streaming endpoint `/api/agents/chat/stream/:streamId` does not verify that the requesting user owns the stream. Any authenticated user who obtains or guesses a valid stream ID can subscribe and read another user's real-time chat content, including messages, AI responses, and tool invocations. Version 0.8.2 patches the issue.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
访问控制不恰当
Vulnerability Title
LibreChat 访问控制错误漏洞
Vulnerability Description
LibreChat是LibreChat开源的一个免费、高度可定制的统一 AI 对话平台,能够在一个界面中聚合并运行来自任意厂商的大模型。 LibreChat 0.8.2-rc2至0.8.2-rc3版本存在访问控制错误漏洞,该漏洞源于SSE流式端点/api/agents/chat/stream/:streamId未验证请求用户是否拥有该流,可能导致任何经过身份验证的用户在获取或猜测到有效流ID后订阅并读取其他用户的实时聊天内容。
CVSS Information
N/A
Vulnerability Type
N/A