CVE-2024-7038

Name of the Vulnerable Software and Affected Versions open-webui version 0.3.8

Description An information disclosure issue exists related to the embedding model update feature under admin settings. When a user updates the model path, the system checks if the file exists and provides different error messages based on the existence and configuration of the file. This behavior allows an attacker to enumerate file names and traverse directories by observing the error messages, leading to potential exposure of sensitive information.

Recommendations For open-webui version 0.3.8, consider restricting access to the admin settings and the embedding model update feature until a patch is available. As a temporary workaround, consider modifying the error messages to be more generic, preventing attackers from enumerating file names and traversing directories.