CVE-2024-7043
published 2025-03-20CVE-2024-7043: An improper access control vulnerability in open-webui/open-webui v0.3.8 allows attackers to view and delete any files. The application does not verify whether…
PriorityP353high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.56%
42.6th percentile
An improper access control vulnerability in open-webui/open-webui v0.3.8 allows attackers to view and delete any files. The application does not verify whether the attacker is an administrator, allowing the attacker to directly call the GET /api/v1/files/ interface to retrieve information on all files uploaded by users, which includes the ID values. The attacker can then use the GET /api/v1/files/{file_id} interface to obtain information on any file and the DELETE /api/v1/files/{file_id} interface to delete any file.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linuxfoundation | cups-filters | >= 0 < 1.27.4-1ubuntu0.4 | 1.27.4-1ubuntu0.4 |
| linuxfoundation | cups-filters | >= 0 < 1.28.15-0ubuntu1.4 | 1.28.15-0ubuntu1.4 |
| linuxfoundation | cups-filters | >= 0 < 1.8.3-2ubuntu3.5+esm2 | 1.8.3-2ubuntu3.5+esm2 |
| open-webui | open-webui | 0 – 0.3.8 | — |
| open-webui | open-webui_open-webui | unspecified – latest | — |
| openwebui | open_webui | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
osv8.6HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Open WebUI Allows Arbitrary File Reading and Deletion
ghsa·2025-03-20
CVE-2024-7043 [HIGH] CWE-821 Open WebUI Allows Arbitrary File Reading and Deletion
Open WebUI Allows Arbitrary File Reading and Deletion
An improper access control vulnerability in open-webui/open-webui v0.3.8 allows attackers to view and delete any files. The application does not verify whether the attacker is an administrator, allowing the attacker to directly call the GET /api/v1/files/ interface to retrieve information on all files uploaded by users, which includes the ID values. The attacker can then use the GET /api/v1/files/{file_id} interface to obtain information on any file and the DELETE /api/v1/files/{file_id} interface to delete any file.
OSV
Open WebUI Allows Arbitrary File Reading and Deletion
osv·2025-03-20
CVE-2024-7043 [HIGH] Open WebUI Allows Arbitrary File Reading and Deletion
Open WebUI Allows Arbitrary File Reading and Deletion
An improper access control vulnerability in open-webui/open-webui v0.3.8 allows attackers to view and delete any files. The application does not verify whether the attacker is an administrator, allowing the attacker to directly call the GET /api/v1/files/ interface to retrieve information on all files uploaded by users, which includes the ID values. The attacker can then use the GET /api/v1/files/{file_id} interface to obtain information on any file and the DELETE /api/v1/files/{file_id} interface to delete any file.
OSV
cups-filters vulnerabilities
osv·2024-10-09·CVSS 8.6
CVE-2024-47176 cups-filters vulnerabilities
cups-filters vulnerabilities
USN-7043-1 fixed vulnerabilities in cups-filters. This update improves the
fix for CVE-2024-47176 by removing support for the legacy CUPS printer
discovery protocol entirely.
Original advisory details:
Simone Margaritelli discovered that the cups-filters cups-browsed
component could be used to create arbitrary printers from outside the
local network. In combination with issues in other printing components, a
remote attacker could possibly use this issue to connect to a system,
created manipulated PPD files, and execute arbitrary code when a printer
is used. This update disables support for the legacy CUPS printer
discovery protocol. (CVE-2024-47176)
Simone Margaritelli discovered that cups-filters incorrectly sanitized IPP
data when creating PPD files. A re
OSV
cups-filters vulnerability
osv·2024-10-07·CVSS 5.3
cups-filters vulnerability
cups-filters vulnerability
USN-7043-1 fixed a vulnerability in cups-filters. This update provides
the corresponding update for Ubuntu 16.04 LTS
Original advisory details:
Simone Margaritelli discovered that the cups-filters cups-browsed
component could be used to create arbitrary printers from outside
the local network. In combination with issues in other printing
components, a remote attacker could possibly use this issue to
connect to a system, created manipulated PPD files, and execute
arbitrary code when a printer is used. This update
disables support for the legacy CUPS printer discovery protocol.
(CVE-2024-47176)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-03-20
Published