xerrors Yuxi-Know Server-Side Request Forgery Vulnerability
Vulnerability
A server-side request forgery (SSRF) vulnerability has been identified in xerrors Yuxi-Know versions through 0.4.0. The issue arises in the function OtherEmbedding.aencode within the file /src/models/embed.py. The vulnerability allows authenticated users to manipulate the health_url parameter, potentially leading to unauthorized access to internal services or data.
Impact
Exploitation of this vulnerability allows for server-side request forgery, where an authenticated user can make the server send requests to internal or external resources, potentially leading to the exposure of sensitive information or services.
Reproduction
To reproduce this vulnerability, an authenticated user can send a request to the server with a manipulated health_url parameter. This can be done by including a URL that the server will fetch, such as an internal IP address or a URL that can exploit the SSRF vulnerability.
Remediation
Users are advised to update to the patched version of Yuxi-Know, which is available on the project's GitHub repository.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.