CVE-2024-10044

Published: Dec 30, 2024

Modified: Dec 30, 2024

PUBLISHED

CVSS v3.0

9.3

CRITICAL

Description

A Server-Side Request Forgery (SSRF) vulnerability exists in the POST /worker_generate_stream API endpoint of the Controller API Server in lm-sys/fastchat, as of commit e208d5677c6837d590b81cb03847c0b9de100765. This vulnerability allows attackers to exploit the victim controller API server's credentials to perform unauthorized web actions or access unauthorized web resources by combining it with the POST /register_worker endpoint.

Vendor	Product	Versions
lm-sys	lm-sys/fastchat	affected `unspecified - <= latest`

Weaknesses (CWE)

CWE-918

CVSS v3.0 Details

CVSS v3.0 Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

References

https://huntr.com/bounties/44633540-377d-4ac4-b3a3-c2d0fa19d0e6

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-10044

Description

Affected Products

Weaknesses (CWE)

CVSS v3.0 Details

References