CVE-2024-0549
8.1
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Summary
mintplex-labs/anything-llm is vulnerable to a relative path traversal attack, allowing unauthorized attackers with a default role account to delete files and folders within the filesystem, including critical database files such as 'anythingllm.db'. The vulnerability stems from insufficient input validation and normalization in the handling of file and folder deletion requests. Successful exploitation results in the compromise of data integrity and availability.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| mintplex-labs | mintplex-labs/anything-llm | unspecified < 1.0.0 | affected |
Weaknesses
- CWE-23: CWE-23 Relative Path Traversal
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
- https://huntr.com/bounties/fcb4001e-0290-4b78-a2f0-91ee5d20cc72
- https://github.com/mintplex-labs/anything-llm/commit/026849df0224b6a8754f4103530bc015874def62
References
- https://huntr.com/bounties/fcb4001e-0290-4b78-a2f0-91ee5d20cc72
- https://github.com/mintplex-labs/anything-llm/commit/026849df0224b6a8754f4103530bc015874def62
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.