CVE-2024-12880

Name of the Vulnerable Software and Affected Versions infiniflow/ragflow version RAGFlow-0.13.0

Description A vulnerability in infiniflow/ragflow allows for partial account takeover via insecure data querying. The issue arises from the way tenant IDs are handled in the application. If a user has access to multiple tenants, they can manipulate their tenant access to query and access API tokens of other tenants. This affects the following endpoints: /v1/system/token list, /v1/system/new token, /v1/api/token list, /v1/api/new token, and /v1/api/rm. An attacker can exploit this to access other tenants' API tokens, perform actions on behalf of other tenants, and access their data.

Recommendations For version RAGFlow-0.13.0, as a temporary workaround, consider restricting access to the affected API endpoints until a patch is available. Avoid using the tenant id variable in the affected API endpoints to minimize the risk of exploitation. Restrict access to the vulnerable token list and new token functions to prevent unauthorized access to API tokens.