CVE-2024-7048

MEDIUM Year: 2024
CVSS v3 Score
6.3
Medium
Weakness Type
CWE-269
View all →

Vulnerability Description

In version v0.3.8 of open-webui, an improper privilege management vulnerability exists in the API endpoints GET /api/v1/documents/ and POST /rag/api/v1/doc. This vulnerability allows a lower-privileged user to access and overwrite files managed by a higher-privileged admin. By exploiting this vulnerability, an attacker can view metadata of files uploaded by an admin and overwrite these files, compromising the integrity and availability of the RAG models.

Related Vulnerabilities

CVE-2013-4867

MEDIUM
CVSS:6.3(Medium)

Electronic Arts Karotz Smart Rabbit 12.07.19.00 allows Python module hijacking

CWE-2692013

CVE-2017-11438

MEDIUM
CVSS:6.3(Medium)

GitLab Community Edition (CE) and Enterprise Edition (EE) before 9.0.11, 9.1.8, 9.2.8 allow an authenticated user with the ability to create a group to add themselves to any project that is inside a s...

CWE-2692017

CVE-2017-14124

MEDIUM
CVSS:6.3(Medium)

In eLux RP 5.x before 5.5.1000 LTSR and 5.6.x before 5.6.2 CR when classic desktop mode is used, it is possible to start applications other than defined, even if the user does not have permissions to ...

CWE-2692017

CVE-2017-7489

MEDIUM
CVSS:6.3(Medium)

In Moodle 2.x and 3.x, remote authenticated users can take ownership of arbitrary blogs by editing an external blog link.

CWE-2692017

CVE-2020-7281

MEDIUM
CVSS:6.3(Medium)

Privilege Escalation vulnerability in McAfee Total Protection (MTP) prior to 16.0.R26 allows local users to delete files the user would otherwise not have access to via manipulating symbolic links to ...

CWE-2692020

CVE-2022-39202

MEDIUM
CVSS:6.3(Medium)

matrix-appservice-irc is an open source Node.js IRC bridge for Matrix. The Internet Relay Chat (IRC) protocol allows you to specify multiple modes in a single mode command. Due to a bug in the underly...

CWE-2692022