Cradicle Explorer
ai-llm-security-ai-infra-guard
/ data / vuln_en / open-webui / CVE-2024-7037.yaml
CVE-2024-7037.yaml
 1  info:
 2    name: open-webui
 3    cve: CVE-2024-7037
 4    summary: open-webui allows writing and deleting arbitrary files
 5    details: |
 6      In version v0.3.8 of open-webui/open-webui, the endpoint /api/pipelines/upload is vulnerable to arbitrary file write and delete due to unsanitized file.filename concatenation with CACHE_DIR. This vulnerability allows attackers to overwrite and delete system files, potentially leading to remote code execution.
 7    cvss: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
 8    severity: HIGH
 9    security_advise: |
10      1. Upgrade to open-webui >= 0.3.9
11      2. Review and sanitize all file handling logic in the application
12      3. Implement strict access controls around file upload functionalities
13  rule: version < "0.3.9"
14  references:
15    - https://nvd.nist.gov/vuln/detail/CVE-2024-7037
16    - https://github.com/open-webui/open-webui
17    - https://github.com/open-webui/open-webui/blob/main/backend/main.py#L1513
18    - https://huntr.com/bounties/8508db68-9c99-4b1c-828c-e1bfcacfb847