漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Flowise: Unauthenticated OAuth 2.0 Access Token Disclosure via Public Chatflow
Vulnerability Description
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise contains an authentication bypass vulnerability that allows an unauthenticated attacker to obtain OAuth 2.0 access tokens associated with a public chatflow. By accessing a public chatflow configuration endpoint, an attacker can retrieve internal workflow data, including OAuth credential identifiers, which can then be used to refresh and obtain valid OAuth 2.0 access tokens without authentication. This vulnerability is fixed in 3.1.0.
CVSS Information
N/A
Vulnerability Type
关键功能的认证机制缺失
Vulnerability Title
Flowise 访问控制错误漏洞
Vulnerability Description
Flowise是FlowiseAI开源的一个用于轻松构建 LLM 应用程序的工具。 Flowise 3.1.0之前版本存在访问控制错误漏洞,该漏洞源于认证绕过漏洞,允许未经身份验证的攻击者获取与公共聊天流关联的OAuth 2.0访问令牌。
CVSS Information
N/A
Vulnerability Type
N/A