CVE-2024-32881

Name of the Vulnerable Software and Affected Versions Danswer versions prior to 3.63

Description Danswer, the AI Assistant connected to a company's documents, applications, and people, is vulnerable to unauthorized access to GET/SET of Slack Bot Tokens. This vulnerability allows anyone with network access to steal and set Slack bot tokens, leading to the full compromise of the customer's Slack bot and internal Slack access.

Recommendations For versions prior to 3.63, update to version 3.63 or later to resolve the issue. As a temporary workaround, consider restricting network access to the Danswer AI Assistant to minimize the risk of exploitation. Additionally, restrict access to the Slack Bot Tokens to prevent unauthorized GET/SET operations.