CVE-2024-4851 HIGH

CVE-2024-4851: SSRF Vulnerability in stangirard/quivr

Vendor Stangirard
Product stangirard/quivr
Weakness CWE-918 · SSRF
Published June 6, 2024
Last update August 9, 2024

CVSS base score

7.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

A Server-Side Request Forgery (SSRF) vulnerability exists in the stangirard/quivr application, version 0.0.204, which allows attackers to access internal networks. The vulnerability is present in the crawl endpoint where the 'url' parameter can be manipulated to send HTTP requests to arbitrary URLs, thereby facilitating SSRF attacks. The affected code is located in the backend/routes/crawl_routes.py file, specifically within the crawl_endpoint function. This issue could allow attackers to interact with internal services that are accessible from the server hosting the application.

Key dates

02Disclosure timeline

June 6, 2024 CVE published
August 9, 2024 Record updated