ageerle ruoyi-ai Improper Authorization Vulnerability in SysModelController Component

A critical unauthorized access vulnerability has been identified in the SysModelController component of ageerle ruoyi-ai versions through 2.0.1. This vulnerability allows attackers to add, delete, modify, and query the system's large model configuration without any access credentials. The issue arises from improper authorization checks in the API interface, which can be exploited remotely.

Impact

Exploitation of this vulnerability allows for unauthorized modification of system model configurations, potentially leading to unauthorized access or manipulation of sensitive data and functionalities within the application.

Reproduction

The vulnerability can be reproduced by sending a PUT request to the '/prod-api/system/model' endpoint without including any authorization credentials. This request can be made using a web browser or a tool like Postman. Once the request is sent, the response will indicate that the model information has been successfully modified, demonstrating the unauthorized access.

Remediation

Users are advised to upgrade to version 2.0.2, which addresses this vulnerability by implementing the necessary authorization checks. The updated version is available on the project's GitHub releases page.