漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Langflow has Unauthenticated IDOR on Image Downloads
Vulnerability Description
Langflow is a tool for building and deploying AI-powered agents and workflows. In versions 1.0.0 through 1.8.1, the `/api/v1/files/images/{flow_id}/{file_name}` endpoint serves image files without any authentication or ownership check. Any unauthenticated request with a known flow_id and file_name returns the image with HTTP 200. In a multi-tenant deployment, any attacker who can discover or guess a `flow_id` (UUIDs can be leaked through other API responses) can download any user's uploaded images without credentials. Version 1.9.0 contains a patch.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
访问控制不恰当
Vulnerability Title
Langflow 安全漏洞
Vulnerability Description
Langflow是Langflow开源的一个用于构建多代理和 RAG 应用程序的可视化框架。 Langflow 1.0.0版本至1.8.1版本存在安全漏洞,该漏洞源于/api/v1/files/images/{flow_id}/{file_name}端点缺少身份验证或所有权检查,可能导致未经授权下载用户图像。
CVSS Information
N/A
Vulnerability Type
N/A