漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Crawl4AI: Unauthenticated RCE via Chromium launch-argument injection in browser_config.extra_args
Vulnerability Description
Crawl4AI is an open-source LLM-friendly web crawler and scraper. Prior to 0.9.0, the Docker API server accepted request-supplied browser_config.extra_args, which flowed into Chromium's launch arguments. An attacker could inject Chromium switches that replace a child-process launch command together with --no-zygote, causing Chromium to fork or exec an attacker-controlled command as the container's runtime user. The Docker API is unauthenticated by default, so a single request yields arbitrary command execution. This issue is fixed in version 0.9.0.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Vulnerability Type
参数注入或修改
Vulnerability Title
UncleCode Crawl4AI 命令注入漏洞
Vulnerability Description
UncleCode Crawl4AI是新加坡UncleCode个人开发者的一款AI驱动的爬虫软件。 UncleCode Crawl4AI 0.9.0之前版本存在安全漏洞,该漏洞源于Docker API服务器接受请求提供的browser_config.extra_args参数,该参数流入Chromium启动参数,攻击者可注入Chromium开关替换子进程启动命令并结合--no-zygote,导致Chromium分叉或执行攻击者控制的命令,从而造成任意命令执行。
CVSS Information
N/A
Vulnerability Type
N/A