脆弱性情報
高度な大規模言語モデル技術を使用していますが、出力には不正確または古い情報が含まれる可能性があります。Shenlongはデータの正確性を確保するよう努めていますが、実際の状況に基づいて検証・判断してください。
脆弱性タイトル
Collection of internally resolving IPs
脆弱性説明
Should an instance of AnythingLLM be hosted on an internal network and the attacked be explicitly granted a permission level of manager or admin, they could link-scrape internally resolving IPs of other services that are on the same network as AnythingLLM. This would require the attacker also be able to guess these internal IPs as `/*` ranging is not possible, but could be brute forced. There is a duty of care that other services on the same network would not be fully open and accessible via a simple CuRL with zero authentication as it is not possible to set headers or access via the link collector.
CVSS情報
N/A
脆弱性タイプ
服务端请求伪造(SSRF)
脆弱性タイトル
AnythingLLM 代码问题漏洞
脆弱性説明
AnythingLLM是符合业务要求的文档聊天机器人。 AnythingLLM存在代码问题漏洞。攻击者利用该漏洞可以升级权限,从而暴力破解与 AnythingLLM 位于同一网络上的其他服务的 IP。
CVSS情報
N/A
脆弱性タイプ
N/A