GHSA-mq92-jr35-ffpc

Source

https://github.com/advisories/GHSA-mq92-jr35-ffpc

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-mq92-jr35-ffpc/GHSA-mq92-jr35-ffpc.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-mq92-jr35-ffpc

Aliases

CVE-2024-7038

Published

2024-10-09T21:31:08Z

Modified

2024-10-16T02:20:06.841733Z

Severity

2.7 (Low) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
2.0 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator

Summary

open-webui allows enumeration of file names and traversal of directories by observing the error messages

Details

An information disclosure vulnerability exists in open-webui version 0.3.8. The vulnerability is related to the embedding model update feature under admin settings. When a user updates the model path, the system checks if the file exists and provides different error messages based on the existence and configuration of the file. This behavior allows an attacker to enumerate file names and traverse directories by observing the error messages, leading to potential exposure of sensitive information.

Database specific

{
    "nvd_published_at": "2024-10-09T19:15:14Z",
    "cwe_ids": [
        "CWE-200",
        "CWE-209"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-09T22:07:49Z"
}

References

Affected packages

PyPI / open-webui

Package

Name: open-webui; View open source insights on deps.dev
Purl: pkg:pypi/open-webui

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

0.3.8

Affected versions

0.*

0.1.124

0.1.125

0.2.0.dev1

0.2.0.dev2

0.2.0.dev3

0.2.0.dev4

0.2.0

0.2.1

0.2.2

0.2.3

0.2.4

0.2.5

0.3.0

0.3.1

0.3.2

0.3.3

0.3.4

0.3.5

0.3.6

0.3.7

0.3.8