CVE-2024-9617: IDOR in danswer-ai/danswer

Published Mar 20, 2025

Updated

An IDOR vulnerability in danswer-ai/danswer v0.3.94 allows an attacker to view any files. The application does not verify whether the attacker is the creator of the file, allowing the attacker to directly call the GET /api/chat/file/{fileid} interface to view any user's file.

Affected Software

1 affected component

danswer-ai danswer

Event History

Mar 20, 2025

CVE Published

via MITRE·10:10 AM

Data Sourced

via MITRE·10:10 AM

DescriptionSeverityWeakness

Data Sourced

via NVD·10:15 AM

DescriptionSeverityWeakness

Frequently Asked Questions

What is the severity of CVE-2024-9617?

CVE-2024-9617 is classified as a high severity vulnerability due to its potential to expose sensitive files to unauthorized users.

How do I fix CVE-2024-9617?

To fix CVE-2024-9617, implement proper authorization checks to ensure only file creators can access their files.

What type of vulnerability is CVE-2024-9617?

CVE-2024-9617 is an Insecure Direct Object Reference (IDOR) vulnerability that allows unintended access to files.

Which software is affected by CVE-2024-9617?

CVE-2024-9617 affects Danswer AI version 0.3.94.

What exploit can be performed due to CVE-2024-9617?

An attacker exploiting CVE-2024-9617 can directly access and view any user's files without authorization.

CVE-2024-9617: IDOR in danswer-ai/danswer

Affected Software

Event History

Don't miss critical vulnerabilities

Frequently Asked Questions

What is the severity of CVE-2024-9617?

How do I fix CVE-2024-9617?

What type of vulnerability is CVE-2024-9617?

Which software is affected by CVE-2024-9617?

What exploit can be performed due to CVE-2024-9617?

Company

Resources

Contact