CVE-2024-47066

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-47066
Lobe Chat is an open-source artificial intelligence chat framework. Prior to version 1.19.13, server-side request forgery protection implemented in `src/app/api/proxy/route.ts` does not consider redirect and could be bypassed when attacker provides an external malicious URL which redirects to internal resources like a private network or loopback address. Version 1.19.13 contains an improved fix for the issue.

8.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/lobehub/lobe-chat/blob/main/src/app/api/proxy/route.ts Broken Link
https://github.com/lobehub/lobe-chat/commit/e960a23b0c69a5762eb27d776d33dac443058faf Patch
https://github.com/lobehub/lobe-chat/security/advisories/GHSA-3fc8-2r3f-8wrg Exploit Third Party Advisory
https://github.com/lobehub/lobe-chat/security/advisories/GHSA-mxhq-xw3g-rphc Not Applicable
Configurations

Configuration 1 (hide)

cpe:2.3:a:lobehub:lobe_chat:*:*:*:*:*:*:*:*
History

30 Sep 2024, 18:03

Type Values Removed Values Added
First Time Lobehub lobe Chat
Lobehub
CVSS v2 : unknown
v3 : 9.0 		v2 : unknown
v3 : 8.8
CPE cpe:2.3:a:lobehub:lobe_chat:*:*:*:*:*:*:*:*
References () https://github.com/lobehub/lobe-chat/blob/main/src/app/api/proxy/route.ts - () https://github.com/lobehub/lobe-chat/blob/main/src/app/api/proxy/route.ts - Broken Link
References () https://github.com/lobehub/lobe-chat/commit/e960a23b0c69a5762eb27d776d33dac443058faf - () https://github.com/lobehub/lobe-chat/commit/e960a23b0c69a5762eb27d776d33dac443058faf - Patch
References () https://github.com/lobehub/lobe-chat/security/advisories/GHSA-3fc8-2r3f-8wrg - () https://github.com/lobehub/lobe-chat/security/advisories/GHSA-3fc8-2r3f-8wrg - Exploit, Third Party Advisory
References () https://github.com/lobehub/lobe-chat/security/advisories/GHSA-mxhq-xw3g-rphc - () https://github.com/lobehub/lobe-chat/security/advisories/GHSA-mxhq-xw3g-rphc - Not Applicable

26 Sep 2024, 13:32

Type Values Removed Values Added
Summary
  • (es) Lobe Chat es un framework de chat de inteligencia artificial de código abierto. Antes de la versión 1.19.13, la protección contra server-side request forgery implementado en `src/app/api/proxy/route.ts` no tiene en cuenta la redirección y se puede omitir cuando el atacante proporciona una URL maliciosa externa que redirige a recursos internos como una red privada o una dirección de loopback. La versión 1.19.13 contiene una solución mejorada para el problema.

23 Sep 2024, 16:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-09-23 16:15

Updated : 2024-09-30 18:03

NVD link : CVE-2024-47066

Mitre link : CVE-2024-47066

CVE.ORG link : CVE-2024-47066

JSON object : View

Products Affected

lobehub

  • lobe_chat
CWE
CWE-918

Server-Side Request Forgery (SSRF)


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024