7.5

CVE-2024-36421

Exploit

EPSS 1.63%
Veröffentlicht 01.07.2024 16:15:04
Zuletzt bearbeitet 21.11.2024 09:22:08
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, A CORS misconfiguration sets the Access-Control-Allow-Origin header to all, allowing arbitrary origins to connect to the website. In the default configuration (unauthenticated), arbitrary origins may be able to make requests to Flowise, stealing information from the user. This CORS misconfiguration may be chained with the path injection to allow an attacker attackers without access to Flowise to read arbitrary files from the Flowise server. As of time of publication, no known patches are available.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Flowiseai ≫ Flowise Version1.4.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.63%	0.816

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-346 Origin Validation Error

The product does not properly verify that the source of data or communication is valid.

https://securitylab.github.com/advisories/GHSL-2023-232_GHSL-2023-234_Flowise/

Third Party Advisory

Exploit

https://github.com/FlowiseAI/Flowise/blob/e93ce07851cdc0fcde12374f301b8070f2043687/packages/server/src/index.ts#L122

Product

https://nvd.nist.gov/vuln/detail/CVE-2024-36421

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-36421

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-36421

EUVD