CVE-2024-12450

Summary

CVE-2024-12450 is a vulnerability affecting infiniflow/ragflow versions 0.12.0. The `web_crawl` function in `document_app.py` contains multiple issues. First, it fails to filter URL parameters, making it possible for attackers to perform Full Read Server Side Request Forgery (SSRF) by accessing internal network addresses and viewing their content through generated PDF files. Second, the function lacks restrictions on file protocols, resulting in Arbitrary File Read, allowing attackers to read server files. Third, the outdated Chromium headless version used with --no-sandbox mode increases the risk of Remote Code Execution (RCE) via known Chromium v8 vulnerabilities. These vulnerabilities are addressed in version 0.14.0.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.