CVE-2024-24566 Lobe Chat unauthorized access to plugins

2024-01-3116:33:44

CWE-284

GitHub_M

www.cve.org

lobe chat

unauthorized access

plugins

vulnerability

patched

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

17.0%

JSON

Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. When the application is password-protected (deployed with the ACCESS_CODE option), it is possible to access plugins without proper authorization (without password). This vulnerability is patched in 0.122.4.

CNA Affected

[
  {
    "vendor": "lobehub",
    "product": "lobe-chat",
    "versions": [
      {
        "version": "< 0.122.4",
        "status": "affected"
      }
    ]
  }
]