प्लेटफ़ॉर्म
python
घटक
open-webui
में ठीक किया गया
0.5.17
CVE-2024-8060 is a Remote Code Execution (RCE) vulnerability affecting OpenWebUI versions up to 0.5.9. This flaw resides within the audio transcription API endpoint, allowing authenticated users to upload arbitrary files. Successful exploitation could lead to the overwriting of critical files within the Docker container, potentially granting an attacker root access. A fix is available in version 0.5.17.
The vulnerability lies in the /audio/api/v1/transcriptions endpoint, where the application fails to adequately validate the file.content_type and allows user-controlled filenames. An attacker, after authenticating, can leverage this to perform a path traversal, effectively overwriting files within the Docker container's filesystem. This is particularly concerning as OpenWebUI is often deployed within containerized environments, and successful file overwrites could lead to complete system compromise. The attacker could potentially inject malicious code, establish persistent backdoors, or exfiltrate sensitive data. The ability to execute code as root significantly expands the attack surface and potential impact.
CVE-2024-8060 was published on 2025-03-20. Public proof-of-concept exploits are currently unknown, but the vulnerability's ease of exploitation (requiring only authentication) suggests a potential for rapid exploitation. The vulnerability's impact, combined with the popularity of OpenWebUI, warrants careful attention. Its severity is rated 8.1 (HIGH) according to CVSS. It is not currently listed on CISA KEV.
Organizations deploying OpenWebUI within Docker containers, particularly those using it for sensitive audio processing tasks, are at significant risk. Shared hosting environments where OpenWebUI is installed could also be vulnerable if multiple users share the same container.
• linux / server: Monitor Docker container logs for unusual file creation or modification activity, particularly within the OpenWebUI application directory. Use journalctl -u openwebui to check for suspicious API calls.
journalctl -u openwebui | grep '/audio/api/v1/transcriptions'• generic web: Monitor web server access logs for requests to /audio/api/v1/transcriptions with unusual or unexpected Content-Type headers.
grep '/audio/api/v1/transcriptions' /var/log/apache2/access.log• python: If you have access to the OpenWebUI source code, review the /audio/api/v1/transcriptions endpoint for inadequate file validation logic.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.92% (76% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation is to upgrade OpenWebUI to version 0.5.17 or later, which addresses the file validation issue. If immediate upgrading is not feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the /audio/api/v1/transcriptions endpoint or restrict allowed file types and sizes. Additionally, review and harden the Docker container configuration to minimize the potential impact of a successful file overwrite. Implement strict file permissions within the container to limit the attacker's ability to execute overwritten files. Regularly scan container images for vulnerabilities.
Actualice OpenWebUI a una versión posterior a la 0.3.0 que corrija la vulnerabilidad de carga de archivos arbitrarios. Consulte las notas de la versión para obtener más detalles sobre la actualización. Como medida temporal, restrinja el acceso al endpoint `/audio/api/v1/transcriptions` hasta que se pueda realizar la actualización.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2024-8060 is a Remote Code Execution vulnerability in OpenWebUI versions up to 0.5.9, allowing authenticated users to upload arbitrary files and potentially gain root access.
You are affected if you are running OpenWebUI version 0.5.9 or earlier. Upgrade to 0.5.17 or later to resolve the vulnerability.
Upgrade OpenWebUI to version 0.5.17 or later. As a temporary workaround, implement a WAF rule to block requests to the vulnerable endpoint.
While no public exploits are currently known, the vulnerability's ease of exploitation suggests a potential for rapid exploitation.
Refer to the OpenWebUI GitHub repository for updates and advisories regarding CVE-2024-8060: [https://github.com/open-webui/open-webui](https://github.com/open-webui/open-webui)
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी requirements.txt फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।