Server-Side Request Forgery Flaw in Dify by langgenius
CVE-2024-11822
7.5HIGH
Summary
The Dify application by langgenius contains a Server-Side Request Forgery (SSRF) vulnerability due to improper handling of the api_endpoint parameter. This weakness permits attackers to exploit the application, facilitating unauthorized requests to internal network services. As a result, sensitive information may be compromised, including potential access to critical resources like the AWS metadata endpoint, which could lead to broader security risks for organizations utilizing this software.
Affected Version(s)
langgenius/dify <= unspecified
References
CVSS V3.1
Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
CVSS V3.0
Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved