Lucene search

[email protected]CVE-2024-36420

HistoryJul 01, 2024 - 4:15 p.m.

CVE-2024-36420

2024-07-0116:15:04

CWE-74

[email protected]

web.nvd.nist.gov

flowise

vulnerability

file read

lack of sanitization

filename

api

known patches

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.0004 Low

EPSS

Percentile

9.2%

JSON

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, the /api/v1/openai-assistants-file endpoint in index.ts is vulnerable to arbitrary file read due to lack of sanitization of the fileName body parameter. No known patches for this issue are available.

Affected configurations

Vulners

NVD

Node

flowiseaiflowiseRange≤1.4.3

CPENameOperatorVersion
flowiseai:flowiseflowiseai flowiseeq1.4.3

CPE	Name	Operator	Version
flowiseai:flowise	flowiseai flowise	eq	1.4.3

CNA Affected

[
  {
    "vendor": "FlowiseAI",
    "product": "Flowise",
    "versions": [
      {
        "version": "<= 1.4.3",
        "status": "affected"
      }
    ]
  }
]

References

github.com/FlowiseAI/Flowise/blob/e93ce07851cdc0fcde12374f301b8070f2043687/packages/server/src/index.ts#L982

securitylab.github.com/advisories/GHSL-2023-232_GHSL-2023-234_Flowise/

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.0004 Low

EPSS

Percentile

9.2%

JSON

Related for CVE-2024-36420

cvelist1 nvd1 vulnrichment1