CVE-2024-12869
📋 TL;DR
This vulnerability in infiniflow/ragflow v0.12.0 allows authenticated users to view other users' invite lists without proper authorization. This exposes personal information like email addresses and usernames, potentially affecting all users of the vulnerable version. The privacy breach could lead to phishing attacks and regulatory compliance issues.
💻 Affected Systems
- infiniflow/ragflow
📦 What is this software?
Ragflow by Infiniflow
⚠️ Risk & Real-World Impact
Worst Case
Mass exposure of user email addresses and usernames leading to widespread phishing campaigns, identity theft, regulatory fines for data protection violations, and complete loss of user trust.
Likely Case
Limited exposure of user contact information enabling targeted phishing attempts against specific users, privacy violations, and potential spam campaigns.
If Mitigated
Minimal impact with proper access controls preventing unauthorized data access, though authentication bypass attempts might still be logged.
🎯 Exploit Status
Exploitation requires authenticated access but involves simple API calls to access unauthorized data. No public exploit code identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v0.12.1 or later
Vendor Advisory: https://huntr.com/bounties/768b1a56-1e79-416a-8445-65953568b04a
Restart Required: Yes
Instructions:
1. Backup current configuration and data. 2. Update ragflow to version v0.12.1 or later using your deployment method (Docker, Kubernetes, etc.). 3. Restart the ragflow service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Access Control Enhancement
allImplement additional authorization checks at the application layer to verify users can only access their own invite lists.
Network Segmentation
allRestrict access to ragflow API endpoints to only trusted users and networks.
🧯 If You Can't Patch
- Implement strict network access controls to limit who can access the ragflow API endpoints.
- Monitor API logs for unauthorized access attempts to invite list endpoints and implement alerting.
🔍 How to Verify
Check if Vulnerable:
Check if running ragflow v0.12.0 by examining version in web interface or configuration files. Test authenticated API access to other users' invite endpoints.Check Version:
docker inspect ragflow_container | grep -i version OR check web interface /api/version endpointVerify Fix Applied:
After updating to v0.12.1+, verify authenticated users can only access their own invite lists via API testing.📡 Detection & Monitoring
Log Indicators:
- Unauthorized API requests to /api/invite endpoints with different user IDs
- Multiple failed authorization attempts for invite list access
Network Indicators:
- Unusual patterns of API calls to invite-related endpoints from single users
- High volume of GET requests to user-specific invite endpoints
SIEM Query:
source="ragflow" AND (uri_path="/api/invite" OR uri_path="/api/user/*/invite") AND user_id!=requesting_user_id