PT-2025-12289 · Answer · Answer

Published

2025-03-20

Updated

2025-03-20

CVE-2024-9617

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions danswer-ai/danswer version 0.3.94

Description The issue allows an attacker to view any files due to a lack of verification of whether the attacker is the creator of the file. This can be exploited by directly calling the GET /api/chat/file/{file id} interface to view any user's file. The file id variable is used in this process.

Recommendations For danswer-ai/danswer version 0.3.94, consider restricting access to the GET /api/chat/file/{file id} interface until a patch is available, or implement a verification mechanism to ensure only the file creator can access the file.

Fix

Improper Access Control

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284CWE-639

Related Identifiers

CVE-2024-9617

Affected Products

Answer

PT-2025-12289 · Answer · Answer

CVE-2024-9617

Weakness Enumeration

Related Identifiers

Affected Products

References · 3