{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-12450", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "PUBLISHED", "assignerShortName": "@huntr_ai", "dateReserved": "2024-12-10T19:21:52.795Z", "datePublished": "2025-03-20T10:11:05.133Z", "dateUpdated": "2025-04-04T08:45:39.429Z"}, "containers": {"cna": {"title": "RCE, Full Read SSRF, and Arbitrary File Read in infiniflow/ragflow", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2025-04-04T08:45:39.429Z"}, "descriptions": [{"lang": "en", "value": "In infiniflow/ragflow versions 0.12.0, the `web_crawl` function in `document_app.py` contains multiple vulnerabilities. The function does not filter URL parameters, allowing attackers to exploit Full Read SSRF by accessing internal network addresses and viewing their content through the generated PDF files. Additionally, the lack of restrictions on the file protocol enables Arbitrary File Read, allowing attackers to read server files. Furthermore, the use of an outdated Chromium headless version with --no-sandbox mode enabled makes the application susceptible to Remote Code Execution (RCE) via known Chromium v8 vulnerabilities. These issues are resolved in version 0.14.0."}], "affected": [{"vendor": "infiniflow", "product": "infiniflow/ragflow", "versions": [{"version": "unspecified", "lessThan": "0.14.0", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/da06360c-87c3-4ba9-be67-29f6eff9d44a"}, {"url": "https://github.com/infiniflow/ragflow/commit/3faae0b2c2f8a26233ee1442ba04874b3406f6e9"}], "metrics": [{"cvssV3_0": {"version": "3.0", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "cweId": "CWE-918"}]}], "source": {"advisory": "da06360c-87c3-4ba9-be67-29f6eff9d44a", "discovery": "EXTERNAL"}}, "adp": [{"references": [{"url": "https://huntr.com/bounties/da06360c-87c3-4ba9-be67-29f6eff9d44a", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-20T15:22:49.075420Z", "id": "CVE-2024-12450", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-20T15:22:52.178Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-12450", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-20T15:22:49.075420Z"}}}], "references": [{"url": "https://huntr.com/bounties/da06360c-87c3-4ba9-be67-29f6eff9d44a", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-20T15:22:43.103Z"}}], "cna": {"title": "RCE, Full Read SSRF, and Arbitrary File Read in infiniflow/ragflow", "source": {"advisory": "da06360c-87c3-4ba9-be67-29f6eff9d44a", "discovery": "EXTERNAL"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "infiniflow", "product": "infiniflow/ragflow", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "0.14.0", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/da06360c-87c3-4ba9-be67-29f6eff9d44a"}, {"url": "https://github.com/infiniflow/ragflow/commit/3faae0b2c2f8a26233ee1442ba04874b3406f6e9"}], "descriptions": [{"lang": "en", "value": "In infiniflow/ragflow versions 0.12.0, the `web_crawl` function in `document_app.py` contains multiple vulnerabilities. The function does not filter URL parameters, allowing attackers to exploit Full Read SSRF by accessing internal network addresses and viewing their content through the generated PDF files. Additionally, the lack of restrictions on the file protocol enables Arbitrary File Read, allowing attackers to read server files. Furthermore, the use of an outdated Chromium headless version with --no-sandbox mode enabled makes the application susceptible to Remote Code Execution (RCE) via known Chromium v8 vulnerabilities. These issues are resolved in version 0.14.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2025-04-04T08:45:39.429Z"}}}, "cveMetadata": {"cveId": "CVE-2024-12450", "state": "PUBLISHED", "dateUpdated": "2025-04-04T08:45:39.429Z", "dateReserved": "2024-12-10T19:21:52.795Z", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "datePublished": "2025-03-20T10:11:05.133Z", "assignerShortName": "@huntr_ai"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:infiniflow:ragflow:0.12.0:*:*:*:*:*:*:*", "matchCriteriaId": "6EDC17D5-855D-4564-ABB4-CED9A5E4F983", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In infiniflow/ragflow versions 0.12.0, the `web_crawl` function in `document_app.py` contains multiple vulnerabilities. The function does not filter URL parameters, allowing attackers to exploit Full Read SSRF by accessing internal network addresses and viewing their content through the generated PDF files. Additionally, the lack of restrictions on the file protocol enables Arbitrary File Read, allowing attackers to read server files. Furthermore, the use of an outdated Chromium headless version with --no-sandbox mode enabled makes the application susceptible to Remote Code Execution (RCE) via known Chromium v8 vulnerabilities. These issues are resolved in version 0.14.0."}, {"lang": "es", "value": "En las versiones 0.12.0 de infiniflow/ragflow, la funci\u00f3n `web_crawl` en `document_app.py` contiene m\u00faltiples vulnerabilidades. Esta funci\u00f3n no filtra los par\u00e1metros de URL, lo que permite a los atacantes explotar la SSRF de lectura completa accediendo a direcciones de red internas y visualizando su contenido a trav\u00e9s de los archivos PDF generados. Adem\u00e1s, la ausencia de restricciones en el protocolo de archivos permite la lectura arbitraria de archivos, lo que permite a los atacantes leer archivos del servidor. Asimismo, el uso de una versi\u00f3n desactualizada de Chromium sin interfaz gr\u00e1fica con el modo --no-sandbox habilitado hace que la aplicaci\u00f3n sea susceptible a la ejecuci\u00f3n remota de c\u00f3digo (RCE) a trav\u00e9s de vulnerabilidades conocidas de Chromium v8. Estos problemas se han resuelto en la versi\u00f3n 0.14.0."}], "id": "CVE-2024-12450", "lastModified": "2025-04-04T09:15:15.207", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@huntr.dev", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-03-20T10:15:28.883", "references": [{"source": "security@huntr.dev", "tags": ["Patch"], "url": "https://github.com/infiniflow/ragflow/commit/3faae0b2c2f8a26233ee1442ba04874b3406f6e9"}, {"source": "security@huntr.dev", "tags": ["Exploit"], "url": "https://huntr.com/bounties/da06360c-87c3-4ba9-be67-29f6eff9d44a"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit"], "url": "https://huntr.com/bounties/da06360c-87c3-4ba9-be67-29f6eff9d44a"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security@huntr.dev", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-918"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{}