漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
PraisonAI: Authentication Bypass in OAuthManager.validate_token()
Vulnerability Description
PraisonAI is a multi-agent teams system. Prior to version 4.5.97, OAuthManager.validate_token() returns True for any token not found in its internal store, which is empty by default. Any HTTP request to the MCP server with an arbitrary Bearer token is treated as authenticated, granting full access to all registered tools and agent capabilities. This issue has been patched in version 4.5.97.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Vulnerability Type
授权机制不正确
Vulnerability Title
PraisonAI 安全漏洞
Vulnerability Description
PraisonAI是Mervin Praison个人开发者的一个低代码多智能体协作框架。 PraisonAI 4.5.97之前版本存在安全漏洞,该漏洞源于OAuthManager.validate_token函数对于未在其内部存储中找到的任何令牌均返回True,可能导致任意Bearer令牌被视作已认证,授予对所有注册工具和代理功能的完全访问权限。
CVSS Information
N/A
Vulnerability Type
N/A