CVE-2024-3095

SSRF in Langchain Web Research Retriever in langchain-ai/langchain

Severity Score

4.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

A Server-Side Request Forgery (SSRF) vulnerability exists in the Web Research Retriever component of langchain-ai/langchain version 0.1.5. The vulnerability arises because the Web Research Retriever does not restrict requests to remote internet addresses, allowing it to reach local addresses. This flaw enables attackers to execute port scans, access local services, and in some scenarios, read instance metadata from cloud environments. The vulnerability is particularly concerning as it can be exploited to abuse the Web Explorer server as a proxy for web attacks on third parties and interact with servers in the local network, including reading their response data. This could potentially lead to arbitrary code execution, depending on the nature of the local services. The vulnerability is limited to GET requests, as POST requests are not possible, but the impact on confidentiality, integrity, and availability is significant due to the potential for stolen credentials and state-changing interactions with internal APIs.

Existe una vulnerabilidad de Server-Side Request Forgery (SSRF) en el componente Web Research Retriever de langchain-ai/langchain versión 0.1.5. La vulnerabilidad surge porque Web Research Retriever no restringe las solicitudes a direcciones de Internet remotas, lo que le permite llegar a direcciones locales. Esta falla permite a los atacantes ejecutar escaneos de puertos, acceder a servicios locales y, en algunos escenarios, leer metadatos de instancias de entornos de nube. La vulnerabilidad es particularmente preocupante ya que puede explotarse para abusar del servidor Web Explorer como proxy para ataques web a terceros e interactuar con servidores en la red local, incluida la lectura de sus datos de respuesta. Esto podría conducir potencialmente a la ejecución de código arbitrario, dependiendo de la naturaleza de los servicios locales. La vulnerabilidad se limita a las solicitudes GET, ya que las solicitudes POST no son posibles, pero el impacto en la confidencialidad, la integridad y la disponibilidad es significativo debido al potencial de robo de credenciales e interacciones de cambio de estado con las API internas.

*Credits: N/A

CVSS Scores

huntr.devv3 4.8

Attack Vector

Physical

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

Poc

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-03-29 CVE Reserved
2024-06-06 CVE Published
2024-06-24 First Exploit
2024-08-01 CVE Updated
2024-10-18 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-918: Server-Side Request Forgery (SSRF)

CAPEC

References (2)

URL	Tag	Source
https://huntr.com/bounties/e62d4895-2901-405b-9559-38276b6a5273

URL	Date	SRC
https://github.com/leoCottret/CVE-2024-30956	2024-06-24

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
-		-				-		-		-