File Upload and Download Vulnerability in WandB's OpenUI

CVE-2024-10649

What is CVE-2024-10649?

The WandB OpenUI product contains a security flaw where unauthenticated endpoints permit unrestricted file uploads and downloads from an AWS S3 bucket. This vulnerability allows malicious users to exploit the endpoints '/v1/share/{id:str}' for both uploading and downloading JSON files. The absence of proper authentication mechanisms could lead to severe security implications, including denial of service by overwhelming storage space, potential stored cross-site scripting (XSS) attacks due to the injection of harmful scripts, and unauthorized access to sensitive information stored in the S3 bucket. Organizations utilizing WandB OpenUI should prioritize addressing this vulnerability to safeguard their data and applications.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References