ComfyUI-Manager CRLF Injection Vulnerability in Configuration Handler
Vulnerability
A CRLF injection vulnerability has been identified in ComfyUI-Manager versions prior to 3.39.2 and 4.0.5. An attacker can exploit this vulnerability by injecting special characters into HTTP query parameters, which allows them to add arbitrary configuration values to the 'config.ini' file. This could lead to unauthorized modifications of security settings or changes in application behavior. The vulnerability is present when ComfyUI-Manager is run with the '--listen' option, allowing remote access.
Impact
Exploitation of this vulnerability allows for CRLF injection, which can be used to manipulate the 'config.ini' file, potentially altering security settings or application behavior.
Remediation
Users can upgrade to ComfyUI-Manager versions 3.39.2 or 4.0.5 to address this vulnerability. If an upgrade is not possible, it is recommended to run ComfyUI-Manager only on trusted networks, block external access via firewall, or run on localhost without the '--listen' option.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.