A vulnerability has been found in Dataease SQLBot up to 1.4.0. This affects an unknown function of the file backend/apps/system/api/assistant.py of the component API Endpoint. Such manipulation leads to improper access controls.
It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.5.0 mitigates this issue.
The name of the patch is d640ac31d1ce64ce90e06cf7081163915c9fc28c. Upgrading the affected component is recommended. Multiple endpoints are affected.
The vendor was contacted early about this disclosure.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
Low
Partial data leak
Integrity
Low
Partial data modification
Availability
Low
Partial disruption
CVSS Vector v4.0
Weakness Type (CWE)
References 17
https://github.com/dataease/SQLBot/
cna@vuldb.com
https://github.com/dataease/SQLBot/commit/d640ac31d1ce64ce90e06cf7081163915c9fc…
cna@vuldb.com
https://github.com/dataease/SQLBot/releases/tag/v1.5.0
cna@vuldb.com
https://github.com/dataease/SQLBot/security/advisories/GHSA-h4xm-3q3p-5g6r
cna@vuldb.com
https://github.com/yaowenxiao721/Poc/blob/main/SQLBot/SQLBot-AIModel-Management…
cna@vuldb.com
https://github.com/yaowenxiao721/Poc/blob/main/SQLBot/SQLBot-User-Management-Br…
cna@vuldb.com
https://vuldb.com/?ctiid.348291
cna@vuldb.com
https://vuldb.com/?id.348291
cna@vuldb.com
https://vuldb.com/?submit.706144
cna@vuldb.com
https://vuldb.com/?submit.707283
cna@vuldb.com
https://vuldb.com/?submit.707284
cna@vuldb.com
https://vuldb.com/?submit.707285
cna@vuldb.com
https://vuldb.com/?submit.707286
cna@vuldb.com
https://vuldb.com/?submit.707288
cna@vuldb.com
https://vuldb.com/?submit.707293
cna@vuldb.com
https://vuldb.com/?submit.707294
cna@vuldb.com
https://vuldb.com/?submit.707295
cna@vuldb.com