CVE-2024-36420

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, the `/api/v1/openai-assistants-file` endpoint in `index.ts` is vulnerable to arbitrary file read due to lack of sanitization of the `fileName` body parameter. No known patches for this issue are available.
Configurations

Configuration 1 (hide)

cpe:2.3:a:flowiseai:flowise:1.4.3:*:*:*:*:*:*:*

History

03 Jul 2024, 15:29

Type Values Removed Values Added
References () https://github.com/FlowiseAI/Flowise/blob/e93ce07851cdc0fcde12374f301b8070f2043687/packages/server/src/index.ts#L982 - () https://github.com/FlowiseAI/Flowise/blob/e93ce07851cdc0fcde12374f301b8070f2043687/packages/server/src/index.ts#L982 - Product
References () https://securitylab.github.com/advisories/GHSL-2023-232_GHSL-2023-234_Flowise/ - () https://securitylab.github.com/advisories/GHSL-2023-232_GHSL-2023-234_Flowise/ - Exploit, Third Party Advisory
First Time Flowiseai
Flowiseai flowise
Summary
  • (es) Flowise es una interfaz de usuario de arrastrar y soltar para crear un flujo de modelo de lenguaje grande personalizado. En la versión 1.4.3 de Flowise, el endpoint `/api/v1/openai-assistants-file` en `index.ts` es vulnerable a la lectura arbitraria de archivos debido a la falta de sanitización del parámetro del cuerpo `fileName`. No hay parches conocidos disponibles para este problema.
CPE cpe:2.3:a:flowiseai:flowise:1.4.3:*:*:*:*:*:*:*

01 Jul 2024, 16:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-01 16:15

Updated : 2024-07-03 15:29


NVD link : CVE-2024-36420

Mitre link : CVE-2024-36420

CVE.ORG link : CVE-2024-36420


JSON object : View

Products Affected

flowiseai

  • flowise
CWE
CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')