CVE-2024-10044

CRITICAL Year: 2024
CVSS v3 Score
9.3
Critical
Weakness Type
CWE-918
View all →

Vulnerability Description

A Server-Side Request Forgery (SSRF) vulnerability exists in the POST /worker_generate_stream API endpoint of the Controller API Server in lm-sys/fastchat, as of commit e208d5677c6837d590b81cb03847c0b9de100765. This vulnerability allows attackers to exploit the victim controller API server's credentials to perform unauthorized web actions or access unauthorized web resources by combining it with the POST /register_worker endpoint.

Related Vulnerabilities

CVE-2022-0990

CRITICAL
CVSS:9.3(Critical)

Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18.

CWE-9182022

CVE-2024-2796

CRITICAL
CVSS:9.3(Critical)

A server-side request forgery (SSRF) was discovered in the Akana API Platform in versions prior to and including 2022.1.3. Reported by Jakob Antonsson.

CWE-9182024

CVE-2024-28752

CRITICAL
CVSS:9.3(Critical)

A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one paramete...

CWE-9182024

CVE-2024-37260

CRITICAL
CVSS:9.3(Critical)

Server-Side Request Forgery (SSRF) vulnerability in Theme-Ruby Foxiz.This issue affects Foxiz: from n/a through 2.3.5.

CWE-9182024

CVE-2024-6424

CRITICAL
CVSS:9.3(Critical)

External server-side request vulnerability in MESbook 20221021.03 version, which could allow a remote, unauthenticated attacker to exploit the endpoint "/api/Proxy/Post?userName=&password=&uri=<FILE|I...

CWE-9182024

CVE-2024-9309

CRITICAL
CVSS:9.3(Critical)

A Server-Side Request Forgery (SSRF) vulnerability exists in the POST /worker_generate_stream API endpoint of the Controller API Server in haotian-liu/llava version v1.2.0 (LLaVA-1.6). This vulnerabil...

CWE-9182024