CVE-2024-0404

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-0404
A mass assignment vulnerability exists in the `/api/invite/:code` endpoint of the mintplex-labs/anything-llm repository, allowing unauthorized creation of high-privileged accounts. By intercepting and modifying the HTTP request during the account creation process via an invitation link, an attacker can add a `role` property with `admin` value, thereby gaining administrative access. This issue arises due to the lack of property allowlisting and blocklisting, enabling the attacker to exploit the system and perform actions as an administrator.

9.1 /10

CVSS v3 : CRITICAL

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/mintplex-labs/anything-llm/commit/8cd3a92c660b202655d99bee90b2864694c99946
https://huntr.com/bounties/b4355bae-766a-4bb0-942b-607bc491b23d
Configurations

No configuration.

History

16 Apr 2024, 13:24

Type Values Removed Values Added
Summary
  • (es) Existe una vulnerabilidad de asignación masiva en el endpoint `/api/invite/:code` del repositorio mintplex-labs/anything-llm, lo que permite la creación no autorizada de cuentas con altos privilegios. Al interceptar y modificar la solicitud HTTP durante el proceso de creación de la cuenta a través de un enlace de invitación, un atacante puede agregar una propiedad "rol" con valor "admin", obteniendo así acceso administrativo. Este problema surge debido a la falta de listas de propiedades permitidas y bloqueadas, lo que permite al atacante explotar el sistema y realizar acciones como administrador.

16 Apr 2024, 00:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-04-16 00:15

Updated : 2024-04-16 13:24

NVD link : CVE-2024-0404

Mitre link : CVE-2024-0404

CVE.ORG link : CVE-2024-0404

JSON object : View

Products Affected

No product.

CWE
CWE-915

Improperly Controlled Modification of Dynamically-Determined Object Attributes