Lucene search

Veracode Vulnerability DatabaseVERACODE:47596

HistoryJun 18, 2024 - 7:40 a.m.

Sensitive Information Disclosure

2024-06-1807:40:00

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

vulnerability

sensitive information

insecure handling

base url

frontend

attacker

modification

attack url

server-side request

backend api key

software

5.7 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

6.5 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

@lobehub/chat is vulnerable to Sensitive Information Disclosure. The vulnerability is due to insecure handling of the base URL in the frontend, allowing an attacker to modify it to their own attack URL. The attacker can then set up a server-side request to obtain the real backend API key.

CPENameOperatorVersion
@lobehub/chatle0.162.23
@lobehub/chatle0.162.23

CPE	Name	Operator	Version
	@lobehub/chat	le	0.162.23
	@lobehub/chat	le	0.162.23

References

github.com/advisories/GHSA-p36r-qxgx-jq2v

github.com/lobehub/lobe-chat/security/advisories/GHSA-p36r-qxgx-jq2v

5.7 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

6.5 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for VERACODE:47596