CVE-2024-3029

In mintplex-labs/anything-llm, an attacker can exploit improper input validation by sending a malformed JSON payload to the '/system/enable-multi-user' endpoint. This triggers an error that is caught by a catch block, which in turn deletes all users and disables the 'multi_user_mode'. The vulnerability allows an attacker to remove all existing users and potentially create a new admin user without requiring a password, leading to unauthorized access and control over the application.

CVSS v3 9.0 CRITICAL

9.0^/10

CVSS v3 : CRITICAL

V3 Legend

Vector : AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/mintplex-labs/anything-llm/commit/99cfee1e7025fe9a0919a4d506ba1e1b819f6073
https://huntr.com/bounties/7189a7a0-9830-459d-b853-bdc2559999a0

Configurations

No configuration.

History

16 Apr 2024, 13:24

Type	Values Removed	Values Added
Summary		(es) En mintplex-labs/anything-llm, un atacante puede aprovechar la validación de entrada incorrecta enviando un payload JSON con formato incorrecto al endpoint '/system/enable-multi-user'. Esto desencadena un error que es detectado por un bloque catch, que a su vez elimina a todos los usuarios y desactiva el 'multi_user_mode'. La vulnerabilidad permite a un atacante eliminar a todos los usuarios existentes y potencialmente crear un nuevo usuario administrador sin requerir una contraseña, lo que genera acceso y control no autorizados sobre la aplicación.

16 Apr 2024, 00:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-04-16 00:15

Updated : 2024-04-16 13:24

NVD link : CVE-2024-3029

Mitre link : CVE-2024-3029

CVE.ORG link : CVE-2024-3029

JSON object : View

Products Affected

No product.

CWE

CWE-20

Improper Input Validation

9.0 /10