Tencent AI-Infra-Guard Information Disclosure Vulnerability in Task Detail Endpoint
Vulnerability
A vulnerability allowing sensitive data exposure has been identified in Tencent AI-Infra-Guard version 4.0. The issue arises in the Task Detail Endpoint, specifically within the 'common/websocket/task_manager.go' file. The vulnerability occurs because the endpoint fails to properly mask API tokens when returning task details, allowing unauthorized access to sensitive information. This flaw can be exploited remotely, without authentication.
Impact
Exploitation of this vulnerability leads to the unauthorized disclosure of API tokens for AI models, which could be misused to access paid services or cross-platform resources, especially if the tokens are reused elsewhere.
Reproduction
To reproduce this vulnerability, submit a task through the Developer API, including a sensitive API token in the model configuration. After the task is created, retrieve the task details using the session ID provided in the response. The plaintext API token will be included in the response, under the 'params.model.token' field.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.