Comments (6)
Hi @frkngksl,
Thanks for your request! This vulnerability is in scope for the reward program. Please submit our participation form and you can start working on the development.
Please keep in mind that the Tsunami Scanner Team will only be able to work at one issue at a time for each participant so please hold on the implementation work for any other requests you might have.
Thanks!
from tsunami-security-scanner-plugins.
Hi @tooryx, I submitted the detector and docker files. Thanks in advance.
from tsunami-security-scanner-plugins.
Hi @maoning, Is this issue can be counted as an AI PRP now?
from tsunami-security-scanner-plugins.
@frkngksl I just noticed that your request here overlaps with an existing AI plugin request #428. It's my fault of not noticing the overlap. I hope by using the new ai-bounty-prp
tag, it would prevent similar issue from happening.
As the #428 has RCE verification, I will merge in that one instead. However I will make sure your other PRs are timely reviewed.
from tsunami-security-scanner-plugins.
Hi @maoning, that issue was accepted last month and the CVE was specific for the lack of authentication in the experimental API. It is true that it can be combined with another CVE for RCE (as specified in the other issue RCE is valid for very specific DAG) but this API provides other functionalities. In my opinion, this should be considered as seperate, otherwise it is a little bit unfair (with all my respect) because I developed a plugin after getting an approval from you.
from tsunami-security-scanner-plugins.
@frkngksl I would definitely want to prevent this from happening in the future and will discuss this with the entire review panel. You effort here is recognized.
In general, we prefer RCE based vuln verification for Tsunami plugins, while it's not always possible, we lean more towards finding fewer critical bugs than producing too many findings.
from tsunami-security-scanner-plugins.
Related Issues (20)
- AI PRP: Weak credential tester for jupyter lab/notebook through Jupyterhub
- PRP: Request Adobe Commerce RCE(CVE-2024-20720) HOT 2
- AI PRP: prestodb exposed UI and APIs
- AI PRP: clickhouse exposed API with weak/default credentials HOT 2
- Spring Boot H2 Database - Remote Command Execution HOT 1
- CVE-2024-28255 - OpenMetaData RCE
- PRP: PAN-OS Firewall RCE HOT 1
- PRP: Adobe ColdFusion - CVE-2023-26360 HOT 1
- AI PRP: CVE-2023-48022 - Ray RCE HOT 1
- AI PRP: argo rollouts
- AI PRP: argo events
- AI PRP: Minio Weak credentials tester HOT 3
- PRP: Unauthenticated Mongodb server
- PRP: Exposed Docker daemon Remote Access HOT 6
- PRP: Exposed Android Debug Bridge
- AI PRP: BentoML Insecure Deserialization RCE HOT 6
- AI PRP: Gardio Arbitrary File Read CVE-2024-1561
- AI PRP: Apache Flink exposed UI
- AI PRP: New Web Fingerprint for Open-WebUI (Ollama WebUI) HOT 1
- AI PRP: Mindsdb weak credential
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tsunami-security-scanner-plugins.