CVE-2024-4851 — HIGH (7.7) — White Hats Nepal

Vulnerability Description

A Server-Side Request Forgery (SSRF) vulnerability exists in the stangirard/quivr application, version 0.0.204, which allows attackers to access internal networks. The vulnerability is present in the crawl endpoint where the 'url' parameter can be manipulated to send HTTP requests to arbitrary URLs, thereby facilitating SSRF attacks. The affected code is located in the backend/routes/crawl_routes.py file, specifically within the crawl_endpoint function. This issue could allow attackers to interact with internal services that are accessible from the server hosting the application.

CVSS Score

7.7

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Quivr	Quivr	0.0.204

Related Weaknesses (CWE)

CWE-918

References

https://huntr.com/bounties/b6011986-954a-47da-a60c-fc7aebc8005dExploitThird Party Advisory
https://huntr.com/bounties/b6011986-954a-47da-a60c-fc7aebc8005dExploitThird Party Advisory

FAQ

What is CVE-2024-4851?

CVE-2024-4851 is a vulnerability with a CVSS score of 7.7 (HIGH). A Server-Side Request Forgery (SSRF) vulnerability exists in the stangirard/quivr application, version 0.0.204, which allows attackers to access internal networks. The vulnerability is present in the ...

How severe is CVE-2024-4851?

CVE-2024-4851 has been rated HIGH with a CVSS base score of 7.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-4851?

Check the references section above for vendor advisories and patch information. Affected products include: Quivr Quivr.