CVE-2024-8060
Remote Code Execution in OpenWebUI via Arbitrary File Upload
OpenWebUI version 0.3.0 contains a vulnerability in the audio API endpoint `/audio/api/v1/transcriptions` that allows for arbitrary file upload. The application performs insufficient validation on the `file.content_type` and allows user-controlled filenames, leading to a path traversal vulnerability. This can be exploited by an authenticated user to overwrite critical files within the Docker container, potentially leading to remote code execution as the root user.
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Productos afectados
open-webui · open-webui/open-webui¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →