CVE-2024-8057
📋 TL;DR
In Danswer AI version 0.4.1, unauthenticated attackers can sign up as basic users and create credentials linked to existing connectors, which should be restricted to admin users. This allows excessive resource consumption leading to potential Denial of Service (DoS) and system instability. All deployments using the vulnerable version are affected.
💻 Affected Systems
- danswer-ai/danswer
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system outage through resource exhaustion DoS, potential data corruption, and unauthorized access to connector configurations.
Likely Case
Performance degradation, increased resource costs, and potential service disruption from excessive credential creation.
If Mitigated
Minimal impact with proper authentication and authorization controls preventing unauthorized credential creation.
🎯 Exploit Status
Exploitation requires only basic user registration and API/web interface access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.4.2 or later
Vendor Advisory: https://huntr.com/bounties/b5991b98-a721-4acd-8ef2-980e15682913
Restart Required: Yes
Instructions:
1. Update to Danswer version 0.4.2 or later. 2. Restart the Danswer service. 3. Verify user permissions are properly enforced.
🔧 Temporary Workarounds
Disable user registration
allTemporarily disable new user registration to prevent unauthorized access.
Modify Danswer configuration to disable user registration feature
Restrict connector API access
allImplement network-level restrictions to connector management endpoints.
Configure firewall rules to restrict access to connector APIs from non-admin IPs
🧯 If You Can't Patch
- Implement strict rate limiting on credential creation endpoints
- Deploy web application firewall with credential creation pattern detection
🔍 How to Verify
Check if Vulnerable:
Check if running Danswer version 0.4.1 and test if basic users can create credentials linked to existing connectors.Check Version:
Check Danswer version in application interface or deployment configuration.Verify Fix Applied:
After updating, verify basic users cannot create credentials linked to existing connectors and only admin users have this privilege.📡 Detection & Monitoring
Log Indicators:
- Multiple credential creation events from basic user accounts
- Unusual spike in API calls to connector endpoints
- User privilege escalation attempts
Network Indicators:
- High volume of POST requests to credential creation endpoints
- Unusual authentication patterns from new user accounts
SIEM Query:
source="danswer" AND (event="credential_creation" OR event="connector_modification") AND user_role="basic"