CVE-2024-11822

Name of the Vulnerable Software and Affected Versions langgenius/dify version 0.9.1

Description The issue is related to a Server-Side Request Forgery (SSRF) vulnerability. This vulnerability exists due to the improper handling of the api endpoint parameter, allowing an attacker to make direct requests to internal network services. This can lead to unauthorized access to internal servers and potentially expose sensitive information, including access to the AWS metadata endpoint.

Recommendations For version 0.9.1, consider restricting access to the api endpoint parameter to minimize the risk of exploitation. As a temporary workaround, avoid using the api endpoint parameter in sensitive operations until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.