Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive files via supplying a crafted request.
The vulnerability stems from incorrectly configured access permissions to resources (CWE-732 — Incorrect Permission Assignment for Critical Resource). The attacker sends a specially crafted HTTP request that bypasses access control mechanisms. As a result, it is possible to read and download files that should have restricted access.
An attacker can gain access to sensitive application files without authentication, leading to disclosure of potentially confidential data (e.g., configurations, API keys, user data). Combined with the full CIA triad (C:H/I:H/A:H), the consequences may include violations of system confidentiality, integrity, and availability.
Apply patches available from the vendor according to the references. It is recommended to monitor the GitHub repository of the project (https://github.com/X-D-Lab/LangChain-ChatGLM-Webui) to obtain the updated version. Until the patch is deployed, consider restricting access to the application only to trusted networks or applying firewall rules to block external access.
X-D Lab LangChain-ChatGLM-Webui in the version corresponding to commit ef829
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HX D Lab Langchain Chatglm Webui
APPX-D Lab2023-05-23