CVE-2024-4851

Name of the Vulnerable Software and Affected Versions stangirard/quivr version 0.0.204

Description A Server-Side Request Forgery (SSRF) vulnerability exists in the stangirard/quivr application, which allows attackers to access internal networks. The vulnerability is present in the "crawl endpoint" where the url parameter can be manipulated to send HTTP requests to arbitrary URLs, thereby facilitating SSRF attacks. The affected code is located in the backend/routes/crawl routes.py file, specifically within the crawl endpoint function. This issue could allow attackers to interact with internal services that are accessible from the server hosting the application.

Recommendations For version 0.0.204, as a temporary workaround, consider disabling the crawl endpoint function until a patch is available. Restrict access to the crawl endpoint to minimize the risk of exploitation. Avoid using the url parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.