Authentication Bypass in open-webui's PDF Generation Service
CVE-2024-8053
8.2HIGH
Summary
In version v0.3.10 of open-webui, the api/v1/utils/pdf
endpoint lacks proper authentication mechanisms, enabling unauthenticated attackers to access and misuse the PDF generation service. By sending a POST request with an excessively large payload, attackers can lead to server resource exhaustion, resulting in denial of service (DoS). This vulnerability not only allows for unauthorized PDF generation but may also have operational and financial impacts on affected services.
Affected Version(s)
open-webui/open-webui <= unspecified
References
CVSS V3.1
Score:
8.2
Severity:
HIGH
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
CVSS V3.0
Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved