CVE-2024-9612 in danswerinfo

Summary

by MITRE • 03/20/2025

In danswer-ai/danswer v0.3.94, administrators can set the visibility of pages within a workspace, including the search page. When the search page is set to be invisible, regular users cannot view the search page or access its functionalities from the front-end interface. However, the back-end does not verify the visibility status of the search page. Consequently, attackers can directly call the API to access the functionalities provided by the search page, bypassing the visibility restriction set by the administrator.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 03/21/2025

The vulnerability identified as CVE-2024-9612 affects the danswer-ai/danswer platform version 0.3.94 and represents a critical access control flaw that undermines the intended security posture of the application. This issue stems from a fundamental architectural weakness where the frontend visibility controls are not properly enforced at the backend level, creating a direct pathway for unauthorized access. The vulnerability specifically targets the workspace page visibility settings, particularly the search page functionality, which administrators can configure to be visible or invisible to different user roles. When administrators set the search page to invisible status, they expect this restriction to be enforced consistently across all access points, including both frontend and backend interfaces. However, the implementation fails to maintain this consistency, leaving a dangerous gap in the security model that directly violates the principle of least privilege and proper access control enforcement.

The technical nature of this vulnerability can be categorized under CWE-639 Access Control Bypass, which specifically addresses situations where an application fails to properly enforce access control mechanisms, allowing unauthorized users to access resources or functionality that should be restricted. The flaw manifests as a backend validation failure where API endpoints that should be protected by visibility restrictions are accessible regardless of the configured visibility settings. This creates a scenario where attackers can directly interact with the application's API layer to access search page functionalities without going through the normal user interface, effectively bypassing the administrative controls that were meant to enforce access restrictions. The vulnerability represents a classic case of insufficient backend validation where frontend security measures are not mirrored or enforced at the application's core API level, creating a fundamental mismatch between the intended security model and the actual implementation.

The operational impact of this vulnerability is significant as it allows attackers to gain unauthorized access to search functionality that administrators intended to restrict. This bypass enables potential information disclosure and privilege escalation scenarios, as attackers can access search results, query capabilities, and potentially sensitive data that should only be available to authorized users. The vulnerability affects all users who can access the API endpoints, regardless of their role or permissions, making it particularly dangerous in multi-tenant environments where different users may have varying access levels. Attackers can exploit this by directly calling the backend API endpoints that power the search page, circumventing the frontend visibility checks that administrators have configured. This creates a scenario where even if administrators properly configure visibility settings, the backend implementation fails to enforce these restrictions, effectively neutralizing the administrative controls and potentially exposing sensitive information or system functionalities to unauthorized parties.

The security implications extend beyond simple information disclosure, as this vulnerability can be leveraged to perform reconnaissance activities and gather intelligence about the system's data and functionality. Attackers can systematically explore the search capabilities without triggering frontend-based access controls, potentially identifying sensitive content or system configurations that administrators intended to keep private. This vulnerability also aligns with ATT&CK technique T1069.003 Credential Access - Unsecured Credentials, as it allows unauthorized access to system functionality that would normally be restricted to authorized users. Organizations using danswer-ai/danswer should immediately implement mitigations including proper API endpoint validation, enforcement of visibility settings at the backend level, and implementation of comprehensive access control checks before allowing any API interactions. The recommended remediation involves strengthening backend validation mechanisms to ensure that all API endpoints respect the visibility configurations set by administrators, implementing proper authentication and authorization checks, and conducting thorough security testing to identify similar issues in other parts of the application. Additionally, organizations should consider implementing monitoring and alerting for unusual API access patterns that might indicate exploitation of this vulnerability, as the direct API access bypasses normal user interface logging and monitoring mechanisms that would typically detect unauthorized access attempts.

Responsible

@huntr Ai

Reservation

10/08/2024

Disclosure

03/20/2025

Moderation

accepted

CPE

ready

EPSS

0.00662

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!