Executive Summary

This vulnerability in ComfyUI-Manager prior to version 3.38 allowed remote attackers to potentially manipulate its configuration and critical data because the application stored its files in an insufficiently protected location accessible via the web interface. This meant unauthorized users could access and alter important configuration files and data remotely. [2]

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can lead to unauthorized remote access and tampering with ComfyUI-Manager's configuration and critical data. This could compromise the integrity and security of the application, potentially allowing attackers to manipulate settings, disrupt operations, or gain further access to the system, especially if ComfyUI is exposed over a network. [2]

Useful 0 Not Useful 0

Detection Guidance

You can detect this vulnerability by checking if your ComfyUI-Manager installation is prior to version 3.38 and if the configuration and data files are stored in the legacy unprotected path: <USER_DIRECTORY>/default/ComfyUI-Manager/. Also, look for the presence of the new protected directory <USER_DIRECTORY>/__manager/. If the legacy directory still exists, a persistent notification will appear on startup. Additionally, verify if ComfyUI is running with network options like '--listen 0.0.0.0' which expose the service externally. Commands to check versions and directories could include: 1) Checking ComfyUI-Manager version: `comfyui-manager --version` or checking the installed package version. 2) Listing directories: `ls <USER_DIRECTORY>/default/ComfyUI-Manager/` and `ls <USER_DIRECTORY>/__manager/` 3) Checking running processes for network exposure: `netstat -tulnp | grep comfyui` or `ss -tulnp | grep comfyui` 4) Inspecting config.ini for security level settings inside the __manager directory. These checks help identify if the system is vulnerable or has been migrated. [2]

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, you should update ComfyUI-Manager to version 3.38 or later and ensure ComfyUI is updated to version 0.3.76 or later to benefit from the System User Protection API. This update migrates configuration and data files from the unprotected legacy path to a protected system directory, preventing unauthorized remote access. After updating, verify that the legacy directory <USER_DIRECTORY>/default/ComfyUI-Manager/ is backed up in <USER_DIRECTORY>/__manager/.legacy-manager-backup/ and manually review and copy any necessary snapshots to the new protected snapshots directory. Also, check and set the security level in config.ini to at least 'normal' to prevent weak security settings. Remove the legacy backup folder only after confirming data integrity. Avoid running ComfyUI with network options that expose it externally without proper protection. [2]

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows remote attackers to potentially manipulate configuration and critical data due to insufficient protection of stored files accessible via the web interface. This could lead to unauthorized access and tampering with sensitive data, which may result in non-compliance with data protection regulations such as GDPR and HIPAA that require safeguarding personal and sensitive information. The security update in version 3.38 mitigates these risks by relocating data to a protected directory and enforcing stricter security levels, thereby improving compliance posture by preventing unauthorized remote access and manipulation. [2]

Useful 0 Not Useful 0