feat: add CVE rules#457
Conversation
…lAI (CVE-2024-3135) Add vulnerability detection rules for two AI components that previously had fingerprints but no corresponding CVE rules: - Jan CVE-2024-36857: Arbitrary file read via /v1/app/readFileSync (CVSS 7.5, HIGH) - Jan CVE-2024-36858: Arbitrary file upload RCE via /v1/app/writeFileSync (CVSS 9.8, CRITICAL) - LocalAI CVE-2024-3135: Cross-Site Request Forgery (CSRF) (CVSS 3.0, LOW) All rules include both Chinese (data/vuln/) and English (data/vuln_en/) versions. CVSS scores and descriptions are sourced from NVD API. All YAML files pass yamlcheck validation.
Code Review: feat: add CVE rules (Jan + LocalAI)✅ Strengths
|
Per code review feedback, removing Jan CVE rules from this PR. PR Tencent#457 (add-cve-rules-for-jan-localai) will handle Jan CVEs instead. This avoids merge conflicts between the two PRs.
- Change rule from 'version <= 0.4.12' to 'version > 0 && version < 0.5.2' to correctly cover all affected versions (0.4.13-0.5.1 were also vulnerable) - Add GHSA-qfjh-mvq6-c5p8 advisory reference
|
Thanks for the review! The duplicate Jan/CVE-2024-36858 conflict with PR #462 has been resolved:
Other notes confirmed:
Ready for merge. |
|
The Jan duplicate with PR #462 has been resolved. PR #462 removed its Jan files (commit 6e68c2f), so this PR is the single source for Jan CVE rules. Also fixed the version range for CVE-2024-36858 from version <= "0.4.12" to version > "0" && version < "0.5.2" (commit cc86077). No conflict remains. Ready for merge. |
The Jan duplicate with PR #462 has been resolved. PR #462 removed its Jan files (commit 6e68c2f), so this PR is the single source for Jan CVE rules. Also fixed the version range for CVE-2024-36858 from version <= "0.4.12" to version > "0" && version < "0.5.2" (commit cc86077). No conflict remains. Ready for merge. |
Add vulnerability detection rules for two AI components that previously had fingerprints but no corresponding CVE rules:
All rules include both Chinese (data/vuln/) and English (data/vuln_en/) versions. CVSS scores and descriptions are sourced from NVD API. All YAML files pass yamlcheck validation.