漏洞描述
Chroma DB API endpoints were accessible and exposed collection metadata, enabling enumeration of collections under the default tenant and database, potentially leading to sensitive vector data disclosure.
chroma-db-unauth: Chroma DB - Information Disclosure
PoC代码[已公开]
id: chroma-db-unauth
info:
name: Chroma DB - Information Disclosure
author: Shay Ben Tikva
severity: high
description: |
Chroma DB API endpoints were accessible and exposed collection metadata, enabling enumeration of collections under the default tenant and database, potentially leading to sensitive vector data disclosure.
reference:
- https://www.trychroma.com/security
- https://github.com/shaybentk/chroma-db-unauthorized-info-disclosure
metadata:
max-request: 2
verified: true
tags: misconfig,api,info-leak,unauth
http:
- method: GET
path:
- "{{BaseURL}}/api/v1/collections?tenant=default_tenant&database=default_database"
- "{{BaseURL}}/api/v2/tenants/default_tenant/databases/default_database/collections"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"sync_threshold":'
- '"log_position"'
condition: and
- type: word
part: content_type
words:
- "application/json"
- type: status
status:
- 200
# digest: 4a0a0047304502204460be0fb890034abd429730a80d56f30864c9765b245b1bed5dd12c61bb6a3d022100c95366b551a716a5fe5812530c5f48686cf0563d518dfc3d8b296a97a019fac9:922c64590222798bb761d5b6d8e72950