CVE-2024-36420 Scanner

Flowise is a software platform created by the company Flowise AI, designed primarily for managing and deploying machine learning models and workflows. It is used by data scientists, engineers, and IT professionals across various industries to streamline AI integration into existing business processes. Flowise provides a user-friendly interface for configuring AI tasks and offers robust server-side capabilities to facilitate large-scale computations. Institutions ranging from tech startups to large enterprises utilize Flowise to enhance their operational efficiency through data-driven insights. The platform's capabilities extend to optimizing data flows, reducing time to deployment, and improving AI model accuracy. Given its server-side processing, Flowise requires strict security measures to protect sensitive data being processed.

The Arbitrary File Read vulnerability allows attackers to exploit a path traversal flaw in the software, specifically in the fileName parameter of the /api/v1/openai-assistants-file endpoint. This vulnerability exists in Flowise version 1.4.3 due to inadequate input validation in the code. An attacker can send a specially crafted request to the server to access files that should be off-limits. Once exploited, this flaw can potentially expose sensitive information stored on the server, compromising security. This vulnerability can be particularly dangerous since it does not require authentication and can be executed remotely.

Technical details reveal that the flaw lies in the way the fileName parameter is handled within the index.ts file of the affected Flowise version. The absence of proper sanitization allows traversal sequences in the input, effectively bypassing directory restrictions. Attackers may leverage this by choosing specific paths leading to sensitive system files. The vulnerability can be exploited by sending crafted POST requests to the server, aiming at the /api/v1/openai-assistants-file endpoint. Confirmatory responses will include parts of the file requested, revealing system information.

If exploited, this vulnerability could lead to severe data breaches, allowing attackers access to sensitive or confidential information on the server. This can include authentication credentials, user data, and system configuration files. Such exposure can lead to further exploitation, enabling unauthorized access and potentially causing irreparable damage to the service integrity. Besides, attackers can leverage this information for social engineering attacks on the entity owning or using the software. The aftermath of such a breach could include financial loss, reputational damage, and legal liabilities for mishandling data protection.

REFERENCES

• https://nvd.nist.gov/vuln/detail/CVE-2024-36420
• https://securitylab.github.com/advisories/GHSL-2023-232_GHSL-2023-234_Flowise/
• https://github.com/FlowiseAI/Flowise/blob/e93ce07851cdc0fcde12374f301b8070f2043687/packages/server/src/index.ts#L982