Home > Vulnerability Database > CVE-2024-32881

Mend.io Vulnerability Database

CVE-2024-32881

Good to know:

Date: April 26, 2024

Danswer is the AI Assistant connected to company's docs, apps, and people. Danswer is vulnerable to unauthorized access to GET/SET of Slack Bot Tokens. Anyone with network access can steal slack bot tokens and set them. This implies full compromise of the customer's slack bot, leading to internal Slack access. This issue was patched in version 3.63.

Language: Python

Severity Score

9.8

Related Resources (5)

Url: https://github.com/danswer-ai/danswer/security/advisories/GHSA-xr9w-3ggr-hr6j

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-32881

Url: https://github.com/danswer-ai/danswer/commit/bd7e21a6388775e850d6f716675a893c72881e56

Url: https://github.com/danswer-ai/danswer/commit/89ff07a96b41be9e05256bd252105be233f4d28a

Url: https://www.mend.io/vulnerability-database/CVE-2024-32881

Severity Score

9.8

Weakness Type (CWE)

Improper Authorization

CWE-285

Top Fix

Upgrade Version

Upgrade to version v0.3.63

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-32881

Good to know:

Date: April 26, 2024

Language: Python

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?