Отправить #658926: Tencent WeKnora v0.1.0 Server-Side Request ForgeryИнформация

НазваниеTencent WeKnora v0.1.0 Server-Side Request Forgery
Описание# Summary Tencent WeKnora v0.1.0 contains an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the `/api/v1/initialization/embedding/test` endpoint. Attackers can exploit this to probe internal network services by manipulating the `baseUrl` parameter when source is set to `"remote"`. # Details The `/api/v1/initialization/embedding/test` endpoint lacks authentication and proper input validation. When the source parameter is set to `"remote"`, the `baseUrl` parameter is used to make arbitrary HTTP requests without restrictions, including requests to internal IPs and ports. ``` export function testEmbeddingModel(modelConfig: { source: 'local' | 'remote'; modelName: string; baseUrl?: string; apiKey?: string; dimension?: number; }): Promise<{ available: boolean; message?: string; dimension?: number }> { return new Promise((resolve, reject) => { post('/api/v1/initialization/embedding/test', modelConfig) // 直接调用后端接口 .then((response: any) => resolve(response.data || {})) .catch((error: any) => reject(error)); }); } ``` ``` func (h *InitializationHandler) TestEmbeddingModel(c *gin.Context) { var req struct { Source string `json:"source" binding:"required"` ModelName string `json:"modelName" binding:"required"` BaseURL string `json:"baseUrl"` APIKey string `json:"apiKey"` } if err := c.ShouldBindJSON(&req); err != nil { c.Error(errors.NewBadRequestError(err.Error())) return } if req.Source == "remote" { client := &http.Client{Timeout: 15 * time.Second} resp, err := client.Get(req.BaseURL + "/embeddings") if err != nil { c.JSON(200, gin.H{"available": false}) return } defer resp.Body.Close() c.JSON(200, gin.H{ "available": resp.StatusCode == 200, "dimension": 1024, // 示例值 }) return } } ``` No filtering is applied to prevent access to internal network resources. # Proof of Concept (PoC) ``` POST /api/v1/initialization/embedding/test HTTP/1.1 Host: 192.168.0.22 Content-Type: application/json { "source": "remote", "modelName": "test", "baseUrl": "http://127.0.0.1:520" } ```
Источник⚠️ https://github.com/Hebing123/cve/issues/90
Пользователь
 jiashenghe (UID 39445)
Представление19.09.2025 11:40 (7 месяцы назад)
Модерация26.09.2025 11:31 (7 days later)
Статуспринято
Запись VulDB326083 [Tencent WeKnora 0.1.0 test testEmbeddingModel baseUrl эскалация привилегий]
Баллы20

ПредыдущийОбзорДалее

Want to stay up to date on a daily basis?

Enable the mail alert feature now!