Vulnerabilites related to onyx - onyx
Vulnerability from fkie_nvd
Published
2025-03-20 10:15
Modified
2025-04-01 20:32
Severity ?
Summary
An improper access control vulnerability exists in danswer-ai/danswer version v0.3.94. This vulnerability allows the first user created in the system to view, modify, and delete chats created by an Admin. This can lead to unauthorized access to sensitive information, loss of data integrity, and potential compliance violations.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:onyx:onyx:0.3.94:*:*:*:*:*:*:*",
"matchCriteriaId": "27CB937B-3A49-4F61-9EA4-572AD261D653",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An improper access control vulnerability exists in danswer-ai/danswer version v0.3.94. This vulnerability allows the first user created in the system to view, modify, and delete chats created by an Admin. This can lead to unauthorized access to sensitive information, loss of data integrity, and potential compliance violations."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de control de acceso indebido en danswer-ai/danswer versi\u00f3n v0.3.94. Esta vulnerabilidad permite que el primer usuario creado en el sistema vea, modifique y elimine los chats creados por un administrador. Esto puede provocar acceso no autorizado a informaci\u00f3n confidencial, p\u00e9rdida de la integridad de los datos y posibles infracciones de cumplimiento."
}
],
"id": "CVE-2024-7767",
"lastModified": "2025-04-01T20:32:42.353",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-03-20T10:15:37.007",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Exploit"
],
"url": "https://huntr.com/bounties/1425dada-72d8-4bd9-a3e7-2863bb3e1a6c"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit"
],
"url": "https://huntr.com/bounties/1425dada-72d8-4bd9-a3e7-2863bb3e1a6c"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "security@huntr.dev",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-03-20 10:15
Modified
2025-04-03 18:10
Severity ?
Summary
In danswer-ai/danswer v0.3.94, administrators can set the visibility of pages within a workspace, including the search page. When the search page is set to be invisible, regular users cannot view the search page or access its functionalities from the front-end interface. However, the back-end does not verify the visibility status of the search page. Consequently, attackers can directly call the API to access the functionalities provided by the search page, bypassing the visibility restriction set by the administrator.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://huntr.com/bounties/c1046fa0-a719-475e-ba62-2b97873fbac4 | Exploit, Third Party Advisory | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://huntr.com/bounties/c1046fa0-a719-475e-ba62-2b97873fbac4 | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:onyx:onyx:0.3.94:*:*:*:*:*:*:*",
"matchCriteriaId": "27CB937B-3A49-4F61-9EA4-572AD261D653",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In danswer-ai/danswer v0.3.94, administrators can set the visibility of pages within a workspace, including the search page. When the search page is set to be invisible, regular users cannot view the search page or access its functionalities from the front-end interface. However, the back-end does not verify the visibility status of the search page. Consequently, attackers can directly call the API to access the functionalities provided by the search page, bypassing the visibility restriction set by the administrator."
},
{
"lang": "es",
"value": "En danswer-ai/danswer v0.3.94, los administradores pueden configurar la visibilidad de las p\u00e1ginas dentro de un espacio de trabajo, incluida la p\u00e1gina de b\u00fasqueda. Cuando la p\u00e1gina de b\u00fasqueda est\u00e1 configurada como invisible, los usuarios no pueden verla ni acceder a sus funciones desde la interfaz del frontend. Sin embargo, el backend no verifica el estado de visibilidad de la p\u00e1gina de b\u00fasqueda. Por lo tanto, los atacantes pueden llamar directamente a la API para acceder a las funciones de la p\u00e1gina de b\u00fasqueda, eludiendo la restricci\u00f3n de visibilidad establecida por el administrador."
}
],
"id": "CVE-2024-9612",
"lastModified": "2025-04-03T18:10:11.190",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-03-20T10:15:49.560",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://huntr.com/bounties/c1046fa0-a719-475e-ba62-2b97873fbac4"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://huntr.com/bounties/c1046fa0-a719-475e-ba62-2b97873fbac4"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1100"
}
],
"source": "security@huntr.dev",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2024-7767 (GCVE-0-2024-7767)
Vulnerability from cvelistv5
Published
2025-03-20 10:11
Modified
2025-03-20 13:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-284 - Improper Access Control
Summary
An improper access control vulnerability exists in danswer-ai/danswer version v0.3.94. This vulnerability allows the first user created in the system to view, modify, and delete chats created by an Admin. This can lead to unauthorized access to sensitive information, loss of data integrity, and potential compliance violations.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| danswer-ai | danswer-ai/danswer |
Version: unspecified < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7767",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-20T13:09:24.590978Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T13:09:28.298Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://huntr.com/bounties/1425dada-72d8-4bd9-a3e7-2863bb3e1a6c"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "danswer-ai/danswer",
"vendor": "danswer-ai",
"versions": [
{
"lessThanOrEqual": "latest",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An improper access control vulnerability exists in danswer-ai/danswer version v0.3.94. This vulnerability allows the first user created in the system to view, modify, and delete chats created by an Admin. This can lead to unauthorized access to sensitive information, loss of data integrity, and potential compliance violations."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T10:11:20.256Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/1425dada-72d8-4bd9-a3e7-2863bb3e1a6c"
}
],
"source": {
"advisory": "1425dada-72d8-4bd9-a3e7-2863bb3e1a6c",
"discovery": "EXTERNAL"
},
"title": "Improper Access Control in danswer-ai/danswer"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2024-7767",
"datePublished": "2025-03-20T10:11:20.256Z",
"dateReserved": "2024-08-13T18:40:30.797Z",
"dateUpdated": "2025-03-20T13:09:28.298Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-9612 (GCVE-0-2024-9612)
Vulnerability from cvelistv5
Published
2025-03-20 10:11
Modified
2025-03-20 13:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-1100 - Insufficient Isolation of System-Dependent Functions
Summary
In danswer-ai/danswer v0.3.94, administrators can set the visibility of pages within a workspace, including the search page. When the search page is set to be invisible, regular users cannot view the search page or access its functionalities from the front-end interface. However, the back-end does not verify the visibility status of the search page. Consequently, attackers can directly call the API to access the functionalities provided by the search page, bypassing the visibility restriction set by the administrator.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| danswer-ai | danswer-ai/danswer |
Version: unspecified < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-9612",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-20T13:34:30.618454Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T13:34:33.986Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://huntr.com/bounties/c1046fa0-a719-475e-ba62-2b97873fbac4"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "danswer-ai/danswer",
"vendor": "danswer-ai",
"versions": [
{
"lessThanOrEqual": "latest",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In danswer-ai/danswer v0.3.94, administrators can set the visibility of pages within a workspace, including the search page. When the search page is set to be invisible, regular users cannot view the search page or access its functionalities from the front-end interface. However, the back-end does not verify the visibility status of the search page. Consequently, attackers can directly call the API to access the functionalities provided by the search page, bypassing the visibility restriction set by the administrator."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1100",
"description": "CWE-1100 Insufficient Isolation of System-Dependent Functions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T10:11:08.077Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/c1046fa0-a719-475e-ba62-2b97873fbac4"
}
],
"source": {
"advisory": "c1046fa0-a719-475e-ba62-2b97873fbac4",
"discovery": "EXTERNAL"
},
"title": "Unauthorized Access in danswer-ai/danswer"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2024-9612",
"datePublished": "2025-03-20T10:11:08.077Z",
"dateReserved": "2024-10-07T22:22:35.791Z",
"dateUpdated": "2025-03-20T13:34:33.986Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}