漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
text-generation-webui has a SSRF in superbooga/superboogav2 extensions — no URL validation
Vulnerability Description
text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, he superbooga and superboogav2 RAG extensions fetch user-supplied URLs via requests.get() with zero validation — no scheme check, no IP filtering, no hostname allowlist. An attacker can access cloud metadata endpoints, steal IAM credentials, and probe internal services. The fetched content is exfiltrated through the RAG pipeline. This vulnerability is fixed in 4.3.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
服务端请求伪造(SSRF)
Vulnerability Title
Text Generation Web UI 代码问题漏洞
Vulnerability Description
Text Generation Web UI是oobabooga个人开发者的一个本地AI的UI界面。 Text Generation Web UI 4.3之前版本存在代码问题漏洞,该漏洞源于superbooga和superboogav2 RAG扩展通过requests.get获取用户提供的URL时未进行任何验证,可能导致攻击者访问云元数据端点、窃取IAM凭据并探测内部服务。
CVSS Information
N/A
Vulnerability Type
N/A