CVE-2024-7037

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)

Published: Oct 9, 2024 / Updated: 41d ago

010
No CVSS yetEPSS 0.04%
CVE info copied to clipboard

Summary

In version v0.3.8 of open-webui/open-webui, the endpoint /api/pipelines/upload is vulnerable to arbitrary file write and delete due to unsanitized file.filename concatenation with CACHE_DIR. This vulnerability allows attackers to overwrite and delete system files, potentially leading to remote code execution.

Impact

This vulnerability can have severe impacts on the affected system. Attackers can exploit this flaw to: 1. Overwrite critical system files, potentially compromising the integrity of the entire system. 2. Delete important files, leading to system instability or data loss. 3. Potentially achieve remote code execution, giving them full control over the affected server. These attacks could result in unauthorized access, data theft, system downtime, or use of the compromised server for further malicious activities.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

As of the current information, there is no mention of an available patch. However, given the severity of the vulnerability, it is likely that the open-webui/open-webui project will release a patched version soon. The security team should monitor the project's repository or official channels for updates.

Mitigation

Until a patch is available, consider the following mitigation strategies: 1. If possible, disable or restrict access to the vulnerable /api/pipelines/upload endpoint. 2. Implement strict input validation and sanitization for file names and paths on the server side. 3. Use a Web Application Firewall (WAF) to filter out potentially malicious requests. 4. Monitor system logs for any suspicious file operations or unauthorized access attempts. 5. If feasible, consider downgrading to a version prior to v0.3.8 if it's known to be unaffected. 6. Restrict the permissions of the web application to minimize potential damage from file operations. 7. Regularly backup critical data to ensure quick recovery in case of successful attacks.

Timeline

CVE Assignment

NVD published the first details for CVE-2024-7037

Oct 9, 2024 at 8:15 PM
First Article

Feedly found the first article mentioning CVE-2024-7037. See article

Oct 9, 2024 at 8:22 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 9, 2024 at 8:22 PM
Vendor Advisory

GitHub Advisories released a security advisory.

Oct 9, 2024 at 9:31 PM
Threat Intelligence Report

CVE-2024-7037 is a critical vulnerability in version v0.3.8 of open-webui/open-webui, allowing arbitrary file write and delete through unsanitized file name handling, potentially leading to remote code execution; it has been assigned a HIGH CVSS score. Currently, there is no evidence of exploitation in the wild or public proof-of-concept exploits, and no patch is available, though mitigation strategies such as restricting access to the vulnerable endpoint and implementing input validation are recommended. The vulnerability poses significant risks, including unauthorized access and data loss, which could impact downstream systems relying on the affected application. See article

Oct 10, 2024 at 3:20 AM
EPSS

EPSS Score was set to: 0.04% (Percentile: 11.2%)

Oct 10, 2024 at 10:30 AM
Static CVE Timeline Graph

Affected Systems

Open-webui/open-webui
+null more

Patches

Github Advisory
+null more

Attack Patterns

CAPEC-126: Path Traversal
+null more

Vendor Advisory

[GHSA-54f4-v6v9-9q82] open-webui allows writing and deleting arbitrary files
GitHub Security Advisory: GHSA-54f4-v6v9-9q82 Release Date: 2024-10-09 Update Date: 2024-10-09 Severity: Moderate CVE-2024-7037 Package Information Package: open-webui Affected Versions: Patched Versions: None Description In version v0.3.8 of open-webui/open-webui, the endpoint /api/pipelines/upload is vulnerable to arbitrary file write and delete due to unsanitized file.filename concatenation with CACHE_DIR. This vulnerability allows attackers to overwrite and delete system files, potentially leading to remote code execution. References https://nvd.nist.gov/vuln/detail/CVE-2024-7037 https://huntr.com/bounties/8508db68-9c99-4b1c-828c-e1bfcacfb847 https://github.com/open-webui/open-webui/blob/main/backend/main.py#L1513

References

CVE-2024-7037 - Exploits & Severity - Feedly
This vulnerability allows attackers to overwrite and delete system files, potentially leading to remote code execution. In version v0.3.8 of open-webui/open-webui, the endpoint /api/pipelines/upload is vulnerable to arbitrary file write and delete due to unsanitized file.filename concatenation with CACHE_DIR.

News

open-webui allows writing and deleting arbitrary files
In version v0.3.8 of open-webui/open-webui, the endpoint /api/pipelines/upload is vulnerable to arbitrary file write and delete due to unsanitized file.filename concatenation with CACHE_DIR. This vulnerability allows attackers to overwrite and delete system files, potentially leading to remote code execution.
CVE Alert: CVE-2024-7037
In version v0.3.8 of open-webui/open-webui, the endpoint /api/pipelines/upload is vulnerable to arbitrary file write and delete due to unsanitized file.filename concatenation with CACHE_DIR. Everyone that supports the site helps enable new functionality.
CVE-2024-7037 - Exploits & Severity - Feedly
This vulnerability allows attackers to overwrite and delete system files, potentially leading to remote code execution. In version v0.3.8 of open-webui/open-webui, the endpoint /api/pipelines/upload is vulnerable to arbitrary file write and delete due to unsanitized file.filename concatenation with CACHE_DIR.
NA - CVE-2024-7037 - In version v0.3.8 of open-webui/open-webui, the...
In version v0.3.8 of open-webui/open-webui, the endpoint /api/pipelines/upload is vulnerable to arbitrary file write and delete due to unsanitized file.filename concatenation with CACHE_DIR. This...
[GHSA-54f4-v6v9-9q82] open-webui allows writing and deleting arbitrary files
GitHub Security Advisory: GHSA-54f4-v6v9-9q82 Release Date: 2024-10-09 Update Date: 2024-10-09 Severity: Moderate CVE-2024-7037 Package Information Package: open-webui Affected Versions: Patched Versions: None Description In version v0.3.8 of open-webui/open-webui, the endpoint /api/pipelines/upload is vulnerable to arbitrary file write and delete due to unsanitized file.filename concatenation with CACHE_DIR. This vulnerability allows attackers to overwrite and delete system files, potentially leading to remote code execution. References https://nvd.nist.gov/vuln/detail/CVE-2024-7037 https://huntr.com/bounties/8508db68-9c99-4b1c-828c-e1bfcacfb847 https://github.com/open-webui/open-webui/blob/main/backend/main.py#L1513
See 6 more articles and social media posts

CVSS V3.1

Unknown

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI