CVE-2024-32881

April 26, 2024, 9:15 p.m.

9.8
Critical

Description

Danswer is the AI Assistant connected to company's docs, apps, and people. Danswer is vulnerable to unauthorized access to GET/SET of Slack Bot Tokens. Anyone with network access can steal slack bot tokens and set them. This implies full compromise of the customer's slack bot, leading to internal Slack access. This issue was patched in version 3.63.

Product(s) Impacted

Product Versions
Danswer AI Assistant
  • 3.63

Weaknesses

References

https://github.com/danswer-ai/danswer/commit/89ff07a96b41be9e05256bd252105be233f4d28a
https://github.com/danswer-ai/danswer/commit/bd7e21a6388775e850d6f716675a893c72881e56
https://github.com/danswer-ai/danswer/security/advisories/GHSA-xr9w-3ggr-hr6j

Tags

CVSS Score

9.8 / 10

CVSS Data

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH
    • View Vector String

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Date

  • Published: April 26, 2024, 9:15 p.m.
  • Last Modified: April 26, 2024, 9:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.