CVE-2024-7957

Name of the Vulnerable Software and Affected Versions danswer-ai/danswer versions prior to the fixed version

Description An arbitrary file overwrite issue exists in the ZulipConnector, arising from the load credentials method. This method uses user-controlled input for realm name and zuliprc content to construct file paths and write file contents, allowing attackers to overwrite or create arbitrary files if a zuliprc- directory already exists in the temporary directory.

Recommendations As a temporary workaround, consider disabling the load credentials method until a patch is available. Restrict access to the temporary directory where the zuliprc- directory may be created to minimize the risk of exploitation. Avoid using user-controlled input for realm name and zuliprc content in the affected load credentials method until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.