Dem00

**Name of the Vulnerable Software and Affected Versions** bytedance InfiniStore versions prior to 0.2.34 **Description** An issue exists in the KV Map Handler component within the `/src/infinistore.h` library. A local attacker can perform a manipulation of the `purge kv map()` function, resulting in inefficient algorithmic complexity, which can lead to a denial of service through resource exhaustion. **Recommendations** As a temporary workaround, restrict access to the `purge kv map()` function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** thedotmack claude-mem versions prior to 12.0.0 **Description** A weakness exists in the Observation Content Hash Handler component, specifically within the `computeObservationContentHash()` function located in the `src/services/sqlite/observations/store.ts` file. This issue results in the use of a weak hash. Exploitation is difficult, requires local access, and is characterized by high complexity. **Recommendations** Upgrade to version 12.0.0.

**Name of the Vulnerable Software and Affected Versions** onnx onnx-mlir versions prior to 0.5.0.0 **Description** The Placeholder Node Cache Handler component contains an issue within the `generate hash key()` function located in the `src/Runtime/python/torch onnxmlir/src/torch onnxmlir/backend.py` file. This flaw allows for the use of a weak hash. Exploitation requires local access and is characterized by high complexity and difficulty. **Recommendations** Apply patch 72c5187ff6d13c2c2b3d3789b8f5faf99f08a5b4 to resolve the issue.

A flaw has been found in LMCache up to 0.4.6. This affects the function hex hash to int16 of the file lmcache/integration/vllm/utils.py of the component KV Cache Handler. Executing a manipulation can lead to use of weak hash. The attack needs to be launched locally. The attack requires a high level of complexity. It is indicated that the exploitability is difficult. The exploit has been published and may be used. The pull request to fix this issue awaits acceptance.

**Name of the Vulnerable Software and Affected Versions** milvus-io milvus versions prior to 2.6.14 **Description** An issue exists in the Grantee ID Hash Handler component within the file internal/metastore/kv/rootcoord/kv catalog.go. This flaw allows for the use of a weak hash, which can be manipulated. Exploitation requires local access and is characterized by high complexity and difficult exploitability. **Recommendations** Apply patch 3d932f1c3e065351c4440c27abe1e6479752544d to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Langchain-Chatchat versions prior to 0.3.1.4 **Description** A flaw in the Vision Chat Paste Image Handler component allows for the use of a weak hash. This occurs during the manipulation of the `paste image.image data` argument within the `PIL.Image.tobytes()` function located in the `libs/chatchat-server/chatchat/webui pages/dialogue/dialogue.py` file. Exploitation requires the attacker to be present on the local network and is characterized by high complexity. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the `PIL.Image.tobytes()` function or the Vision Chat Paste Image Handler component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Langchain-Chatchat versions prior to 0.3.1.4 **Description** An issue exists in the Uploaded File Handler component within the ` get file id()` function of the file `libs/chatchat-server/chatchat/server/api server/openai routes.py`. Manipulation of this function can result in the generation of insufficiently random values. Successful exploitation requires access to the local network and is characterized by high complexity and difficult exploitability. **Recommendations** As a temporary workaround, consider restricting access to the ` get file id()` function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Langchain-Chatchat versions prior to 0.3.1.4 **Description** A time-of-check time-of-use (TOCTOU) issue exists in the OpenAI-Compatible File Upload API component. Manipulation of the `file.filename` argument within the `files()` function located in the `libs/chatchat-server/chatchat/server/api server/openai routes.py` file can be exploited. Successful exploitation requires local network access and is characterized by high complexity. **Recommendations** As a temporary workaround, restrict access to the `files()` function in the `libs/chatchat-server/chatchat/server/api server/openai routes.py` file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Langchain-Chatchat versions prior to 0.3.1.4 **Description** A missing authentication issue exists in the Compatible File Service component within the file `libs/chatchat-server/chatchat/server/api server/openai routes.py`. This flaw affects the functions `files()`, `list files()`, `retrieve file()`, `retrieve file content()`, and `delete file()`. An attacker with local network access can exploit this to perform unauthorized actions. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the functions `files()`, `list files()`, `retrieve file()`, `retrieve file content()`, and `delete file()` within the Compatible File Service to minimize the risk of exploitation.