Plattform
python
Komponente
netease-youdao/qanything
CVE-2024-12866 describes a Local File Inclusion (LFI) vulnerability affecting netease-youdao/qanything versions up to the latest release. This flaw allows an attacker to read arbitrary files on the system, potentially leading to the exposure of sensitive information. The vulnerability was published on 2025-03-20, and a fix is expected in a future release.
The primary impact of CVE-2024-12866 is the unauthorized disclosure of sensitive data. An attacker exploiting this LFI vulnerability can read any file accessible to the web server process. This includes configuration files containing database credentials, private SSH keys used for authentication, and even the application's source code. Successful exploitation could lead to complete system compromise, allowing an attacker to gain remote code execution capabilities by leveraging the exposed files. The ability to read source code also provides attackers with valuable insights into the application's inner workings, facilitating further attacks.
The vulnerability is present in the qanything Python package. Currently, there is no indication of this vulnerability being actively exploited in the wild. Public proof-of-concept (POC) code is not yet available, but the LFI nature of the vulnerability makes it relatively straightforward to exploit. The vulnerability has been added to the CISA KEV catalog, indicating a medium probability of exploitation. Further monitoring is advised.
Systems running qanything in production environments, particularly those with default configurations or inadequate access controls, are at significant risk. Development environments and testing servers also face exposure. Shared hosting environments where multiple users share the same server instance are particularly vulnerable, as a compromise of one user's qanything instance could lead to the compromise of the entire server.
• python / server:
import os
import requests
url = 'http://your-qanything-server/qanything?file='
# Attempt to read a sensitive file (replace with a known path)
try:
response = requests.get(url + '/etc/passwd')
if response.status_code == 200:
print('Potential LFI detected: File content retrieved.')
else:
print('File access denied.')
except requests.exceptions.RequestException as e:
print(f'Error: {e}')• linux / server:
journalctl -u qanything -f | grep -i "file:"• generic web:
curl -I http://your-qanything-server/qanything?file=/etc/passwddisclosure
Exploit-Status
EPSS
0.25% (48% Perzentil)
CISA SSVC
CVSS-Vektor
Due to the lack of a specific fixed_in version, immediate mitigation focuses on limiting the potential impact. Implement strict file access controls to restrict the web server's access to sensitive files. Consider using a Web Application Firewall (WAF) to filter potentially malicious requests targeting file inclusion endpoints. Monitor system logs for unusual file access patterns. Regularly review and harden the application's configuration to minimize the attack surface. After a patched version is released, upgrade immediately and verify the fix by attempting to access restricted files through the vulnerable endpoint; access should be denied.
Actualice qanything a una versión posterior a la 2.0.0 que corrija la vulnerabilidad de inclusión de archivos locales. Consulte las notas de la versión o el registro de cambios del proyecto para obtener más detalles sobre la corrección. Como medida temporal, restrinja el acceso a los archivos sensibles del sistema y valide las entradas de los usuarios para evitar la manipulación de rutas de archivos.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-12866 is a Local File Inclusion vulnerability in the qanything Python application, allowing attackers to read arbitrary files.
You are affected if you are using qanything version ≤ latest. Check your installed version and upgrade as soon as a patch is available.
Upgrade to a patched version of qanything. Until a patch is available, restrict file access and validate input.
There are currently no known active exploits, but the vulnerability's simplicity suggests a potential for exploitation.
Refer to the netease-youdao project repository and relevant security mailing lists for updates on the advisory and patch release.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.