Rasa Pro Missing Authentication Vulnerability in Voice Connectors
Vulnerability
A vulnerability exists in Rasa Pro voice connectors, where authentication is not properly enforced, even when a token is specified in the credentials.yml file. This flaw could enable an attacker to send voice data to the Rasa Pro assistant from an unauthenticated source. The issue affects Rasa Pro versions 3.9.17 and prior, 3.10.18 and prior, 3.11.6 and prior, and 3.12.5 and prior. The vulnerability has been addressed in versions 3.9.20, 3.10.19, 3.11.7, and 3.12.6.
Impact
Exploitation of this vulnerability could allow unauthorized users to send voice data to Rasa Pro assistants, potentially leading to misuse of the voice interaction features.
Remediation
Users are advised to upgrade to Rasa Pro versions 3.9.20, 3.10.19, 3.11.7, or 3.12.6. For connectors that currently do not support authentication, such as those using Twilio, extra caution is recommended, and other compensating controls should be considered if applicable.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.