CVE-2024-9612
📋 TL;DR
This vulnerability allows attackers to bypass front-end visibility restrictions by directly calling the search API, even when administrators have hidden the search page. Regular users who should be blocked from search functionality can access it through API calls. This affects all users of danswer-ai/danswer v0.3.94 where search page visibility controls are used.
💻 Affected Systems
- danswer-ai/danswer
📦 What is this software?
Onyx by Onyx
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain unauthorized access to sensitive search functionality that could expose confidential data, perform unauthorized searches, or access restricted information that should be hidden from their role.
Likely Case
Users bypass intended access controls to access search features they shouldn't have, potentially discovering sensitive information or functionality they're not authorized to use.
If Mitigated
With proper API-level authorization checks, users would be blocked from accessing hidden search functionality regardless of front-end visibility settings.
🎯 Exploit Status
Exploitation requires knowledge of API endpoints but is straightforward once endpoints are known. Attackers need valid user credentials but can bypass visibility restrictions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v0.3.95 or later
Vendor Advisory: https://huntr.com/bounties/c1046fa0-a719-475e-ba62-2b97873fbac4
Restart Required: Yes
Instructions:
1. Update danswer-ai/danswer to version v0.3.95 or later. 2. Restart the application. 3. Verify that API endpoints now properly check search page visibility status.
🔧 Temporary Workarounds
API Gateway/Proxy Filtering
allImplement API gateway or reverse proxy rules to block access to search API endpoints when search page is invisible
# Example nginx location block
location /api/search {
# Add logic to check visibility status
deny all;
}
Disable Search Page Hiding
allKeep search page visible to all users to eliminate the bypass vulnerability
# In danswer configuration
search_page_visible: true
🧯 If You Can't Patch
- Implement network-level access controls to restrict API calls to search endpoints based on user roles
- Add application-level middleware that validates search page visibility before processing API requests
🔍 How to Verify
Check if Vulnerable:
1. Set search page to invisible in admin settings. 2. As regular user, attempt to call search API endpoints directly. 3. If search functionality works, system is vulnerable.Check Version:
docker exec danswer-container cat /app/version.txt || check package.json for versionVerify Fix Applied:
1. Update to patched version. 2. Set search page to invisible. 3. Attempt direct API calls as regular user - should receive authorization error. 4. Verify search works when page is visible.📡 Detection & Monitoring
Log Indicators:
- API calls to search endpoints from users who shouldn't have access
- Search queries from users when search page is marked invisible
- Authorization failures for search API after patch
Network Indicators:
- Direct API calls to /api/search endpoints bypassing UI
- Search-related traffic when search page should be disabled
SIEM Query:
source="danswer" AND (uri_path="/api/search" OR uri_path="/search") AND user_role!="admin" AND search_page_visible="false"