CVE-2024-7767

An improper access control vulnerability exists in danswer-ai/danswer version v0.3.94. This vulnerability allows the first user created in the system to view, modify, and delete chats created by an Admin. This can lead to unauthorized access to sensitive information, loss of data integrity, and potential compliance violations.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://huntr.com/bounties/1425dada-72d8-4bd9-a3e7-2863bb3e1a6c	Exploit
https://huntr.com/bounties/1425dada-72d8-4bd9-a3e7-2863bb3e1a6c	Exploit

Configurations

Configuration 1 (hide)

cpe:2.3:a:onyx:onyx:0.3.94:*:*:*:*:*:*:*

History

01 Apr 2025, 20:32

Type	Values Removed	Values Added
First Time		Onyx onyx Onyx
CVSS	v2 : ~~unknown~~ v3 : ~~6.5~~	v2 : unknown v3 : 8.1
Summary		(es) Existe una vulnerabilidad de control de acceso indebido en danswer-ai/danswer versión v0.3.94. Esta vulnerabilidad permite que el primer usuario creado en el sistema vea, modifique y elimine los chats creados por un administrador. Esto puede provocar acceso no autorizado a información confidencial, pérdida de la integridad de los datos y posibles infracciones de cumplimiento.
References	~~() https://huntr.com/bounties/1425dada-72d8-4bd9-a3e7-2863bb3e1a6c -~~	() https://huntr.com/bounties/1425dada-72d8-4bd9-a3e7-2863bb3e1a6c - Exploit
CPE		cpe:2.3:a:onyx:onyx:0.3.94:::::::*

20 Mar 2025, 14:15

Type	Values Removed	Values Added
References	~~() https://huntr.com/bounties/1425dada-72d8-4bd9-a3e7-2863bb3e1a6c -~~	() https://huntr.com/bounties/1425dada-72d8-4bd9-a3e7-2863bb3e1a6c -

20 Mar 2025, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-20 10:15

Updated : 2025-04-01 20:32

NVD link : CVE-2024-7767

Mitre link : CVE-2024-7767

CVE.ORG link : CVE-2024-7767

JSON object : View

Products Affected

onyx

onyx

CWE

CWE-284

Improper Access Control

{"id": "CVE-2024-7767", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security@huntr.dev", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2025-03-20T10:15:37.007", "references": [{"url": "https://huntr.com/bounties/1425dada-72d8-4bd9-a3e7-2863bb3e1a6c", "tags": ["Exploit"], "source": "security@huntr.dev"}, {"url": "https://huntr.com/bounties/1425dada-72d8-4bd9-a3e7-2863bb3e1a6c", "tags": ["Exploit"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@huntr.dev", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "An improper access control vulnerability exists in danswer-ai/danswer version v0.3.94. This vulnerability allows the first user created in the system to view, modify, and delete chats created by an Admin. This can lead to unauthorized access to sensitive information, loss of data integrity, and potential compliance violations."}, {"lang": "es", "value": "Existe una vulnerabilidad de control de acceso indebido en danswer-ai/danswer versi\u00f3n v0.3.94. Esta vulnerabilidad permite que el primer usuario creado en el sistema vea, modifique y elimine los chats creados por un administrador. Esto puede provocar acceso no autorizado a informaci\u00f3n confidencial, p\u00e9rdida de la integridad de los datos y posibles infracciones de cumplimiento."}], "lastModified": "2025-04-01T20:32:42.353", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:onyx:onyx:0.3.94:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "27CB937B-3A49-4F61-9EA4-572AD261D653"}], "operator": "OR"}]}], "sourceIdentifier": "security@huntr.dev"}