CVE-2024-7767

An improper access control vulnerability exists in danswer-ai/danswer version v0.3.94. This vulnerability allows the first user created in the system to view, modify, and delete chats created by an Admin. This can lead to unauthorized access to sensitive information, loss of data integrity, and potential compliance violations.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://huntr.com/bounties/1425dada-72d8-4bd9-a3e7-2863bb3e1a6c	Exploit
https://huntr.com/bounties/1425dada-72d8-4bd9-a3e7-2863bb3e1a6c	Exploit

Configurations

Configuration 1 (hide)

cpe:2.3:a:onyx:onyx:0.3.94:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-03-20 10:15

Updated : 2025-10-15 13:15

NVD link : CVE-2024-7767

Mitre link : CVE-2024-7767

CVE.ORG link : CVE-2024-7767

JSON object : View

Products Affected

onyx

onyx

CWE

CWE-862

Missing Authorization

{"id": "CVE-2024-7767", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}], "cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2025-03-20T10:15:37.007", "references": [{"url": "https://huntr.com/bounties/1425dada-72d8-4bd9-a3e7-2863bb3e1a6c", "tags": ["Exploit"], "source": "[email protected]"}, {"url": "https://huntr.com/bounties/1425dada-72d8-4bd9-a3e7-2863bb3e1a6c", "tags": ["Exploit"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "An improper access control vulnerability exists in danswer-ai/danswer version v0.3.94. This vulnerability allows the first user created in the system to view, modify, and delete chats created by an Admin. This can lead to unauthorized access to sensitive information, loss of data integrity, and potential compliance violations."}, {"lang": "es", "value": "Existe una vulnerabilidad de control de acceso indebido en danswer-ai/danswer versi\u00f3n v0.3.94. Esta vulnerabilidad permite que el primer usuario creado en el sistema vea, modifique y elimine los chats creados por un administrador. Esto puede provocar acceso no autorizado a informaci\u00f3n confidencial, p\u00e9rdida de la integridad de los datos y posibles infracciones de cumplimiento."}], "lastModified": "2025-10-15T13:15:52.630", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:onyx:onyx:0.3.94:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "27CB937B-3A49-4F61-9EA4-572AD261D653"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}