CVE-2024-56137 MEDIUM

CVE-2024-56137: MaxKB RCE vulnerability in function library

Vendor 1Panel-Dev
Product MaxKB
Weakness CWE-78
Published January 2, 2025
Last update January 2, 2025

CVSS base score

6.8/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

MaxKB, which stands for Max Knowledge Base, is an open source knowledge base question-answering system based on a large language model and retrieval-augmented generation (RAG). Prior to version 1.9.0, a remote command execution vulnerability exists in the module of function library. The vulnerability allow privileged‌ users to execute OS command in custom scripts. The vulnerability has been fixed in v1.9.0.

Key dates

02Disclosure timeline

January 2, 2025 CVE published
January 2, 2025 Record updated