Cyber Resilience

CVE-2024-7038

LowPublic PoC

Published: 09 October 2024

Published
09 October 2024
Modified
03 November 2024
KEV Added
Patch
CVSS Score v3.1 2.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0021 43.7th percentile
Risk Priority 6 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-7038 is a low-severity Generation of Error Message Containing Sensitive Information (CWE-209) vulnerability in Openwebui Open Webui. Its CVSS base score is 2.7 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique File and Directory Discovery (T1083); ranked at the 43.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Privacy and Disclosure risk domain; MITRE ATLAS techniques in scope: Obtain Capabilities (AML.T0016).

EU & UK References

Vulnerability details

An information disclosure vulnerability exists in open-webui version 0.3.8. The vulnerability is related to the embedding model update feature under admin settings. When a user updates the model path, the system checks if the file exists and provides different error…

more

messages based on the existence and configuration of the file. This behavior allows an attacker to enumerate file names and traverse directories by observing the error messages, leading to potential exposure of sensitive information.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Open WebUI is a self-hosted web interface for interacting with LLMs and embedding models, functioning as an enterprise AI assistant platform. The vulnerability occurs in the embedding model update feature, confirming AI relevance.

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Why these techniques?

The vulnerability enables file and directory enumeration through distinct error messages based on file existence and configuration during model path updates, directly facilitating File and Directory Discovery (T1083).

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0016: Obtain Capabilities

Affected Assets

openwebui
open webui
all versions

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-209

Detects error messages that leak sensitive information as evidence of disclosure.

addresses: CWE-209

The control directly mitigates generation of error messages containing sensitive authentication details by requiring obscured feedback instead of verbose responses.

addresses: CWE-209

Misdirection allows generation of misleading error messages that withhold or falsify sensitive details.

addresses: CWE-209

Explicitly requires error messages to avoid including sensitive or exploitable details while still supporting corrective action.

addresses: CWE-209

Validation ensures error messages contain only expected, non-sensitive content and blocks leakage via verbose errors.

addresses: CWE-209

Fail-safe procedures can be defined to suppress or sanitize error output, reducing generation of messages that contain sensitive information.

References