Code Injection Vulnerability in Dify Sandbox Service by Langgenius
CVE-2024-10252
8.8HIGH
Summary
A code injection vulnerability in the Dify sandbox service, affecting langgenius/dify versions up to v0.9.1, allows attackers to exploit internal Server-Side Request Forgery (SSRF) requests. By leveraging this flaw, an attacker can execute arbitrary Python code with root privileges in the sandbox environment. This may result in the deletion of the entire sandbox service, potentially causing irreversible damage and compromising the application's integrity.
Affected Version(s)
langgenius/dify < 0.2.10
References
CVSS V3.0
Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved