CVE-2024-8057: Improper Access Control in danswer-ai/danswer
In version 0.4.1 of danswer-ai/danswer, a vulnerability exists where a basic user can create credentials and link them to an existing connector. This issue arises because the system allows an unauthenticated attacker to sign up with a basic account and perform actions that should be restricted to admin users. This can lead to excessive resource consumption, potentially resulting in a Denial of Service (DoS) and other significant issues, impacting the system's stability and security.
Affected Software
Event History
Frequently Asked Questions
What is the severity of CVE-2024-8057?
The severity of CVE-2024-8057 is currently classified as high due to the potential impact of unauthorized credential creation.
How do I fix CVE-2024-8057?
To fix CVE-2024-8057, users should update Danswer AI to the latest version where the vulnerability has been patched.
Who is affected by CVE-2024-8057?
CVE-2024-8057 affects users of Danswer AI version 0.4.1 who have basic accounts.
What actions can an attacker perform with CVE-2024-8057?
An attacker exploiting CVE-2024-8057 can create credentials and link them to an existing connector, gaining unauthorized access.
Is CVE-2024-8057 a remote or local vulnerability?
CVE-2024-8057 is considered a remote vulnerability as it can be exploited by an unauthenticated user over the network.