CVE-2024-8248
7.2
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
A vulnerability in the normalizePath function in mintplex-labs/anything-llm version git 296f041 allows for path traversal, leading to arbitrary file read and write in the storage directory. This can result in privilege escalation from manager to admin. The issue is fixed in version 1.2.2.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| mintplex-labs | mintplex-labs/anything-llm | unspecified < 1.2.2 | affected |
Weaknesses
- CWE-29: CWE-29 Path Traversal: '..\filename'
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
References
- https://huntr.com/bounties/7d6c3b7a-1116-450d-b539-9c911a97537e
- https://github.com/mintplex-labs/anything-llm/commit/47a5c7126c20e2277ee56e2c7ee11990886a40a7
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.