NLWeb, a new AI tool from Microsoft, has a critical security flaw allowing unauthorized access to sensitive files. Discovered during a security audit by Aonan Guan and Lei Wang, the vulnerability permits remote users to read system configurations and cloud credentials via a malformed URL. Guan identified three oversights in the code that contributed to this flaw: improper sanitization, an expanded attack surface, and insufficient final path validation. Microsoft has acknowledged the issue and released a patch in response to the vulnerability report submitted soon after its discovery.
"The bug was discovered by Aonan Guan and Lei Wang in a security audit of the NLWeb open source repository. Guan noted, 'the flaw allowed any remote user to read sensitive files, including system configurations (/etc/passwd) and cloud credentials (.env files), using a simple, malformed URL.'"},{
Collection
[
|
...
]