CVE-2024-32964

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-32964
Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Prior to 0.150.6, lobe-chat had an unauthorized Server-Side Request Forgery vulnerability in the /api/proxy endpoint. An attacker can construct malicious requests to cause Server-Side Request Forgery without logging in, attack intranet services, and leak sensitive information.

9.0 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact HIGH

Scope CHANGED

References
Link Resource
https://github.com/lobehub/lobe-chat/commit/465665a735556669ee30446c7ea9049a20cc7c37
https://github.com/lobehub/lobe-chat/security/advisories/GHSA-mxhq-xw3g-rphc
https://github.com/lobehub/lobe-chat/commit/465665a735556669ee30446c7ea9049a20cc7c37
https://github.com/lobehub/lobe-chat/security/advisories/GHSA-mxhq-xw3g-rphc
Configurations

No configuration.

History

21 Nov 2024, 09:16

Type Values Removed Values Added
References () https://github.com/lobehub/lobe-chat/commit/465665a735556669ee30446c7ea9049a20cc7c37 - () https://github.com/lobehub/lobe-chat/commit/465665a735556669ee30446c7ea9049a20cc7c37 -
References () https://github.com/lobehub/lobe-chat/security/advisories/GHSA-mxhq-xw3g-rphc - () https://github.com/lobehub/lobe-chat/security/advisories/GHSA-mxhq-xw3g-rphc -
Summary
  • (es) Lobe Chat es un framework de chatbot que admite síntesis de voz, sistema de complemento de llamada de función multimodal y extensible. Antes de la versión 0.150.6, lobe-chat tenía una vulnerabilidad de Server Side Request Forgery no autorizada en el endpoint /api/proxy. Un atacante puede crear solicitudes maliciosas para provocar una Server Side Request Forgery sin iniciar sesión, atacar servicios de intranet y filtrar información confidencial.

14 May 2024, 15:37

Type Values Removed Values Added
New CVE
Information

Published : 2024-05-14 15:37

Updated : 2024-11-21 09:16

NVD link : CVE-2024-32964

Mitre link : CVE-2024-32964

CVE.ORG link : CVE-2024-32964

JSON object : View

Products Affected

No product.

CWE
CWE-918

Server-Side Request Forgery (SSRF)