TROYANOSYVIRUS
Voltar para CVEs

CVE-2024-3033

CRITICAL
9.4

Descricao

An improper authorization vulnerability exists in the mintplex-labs/anything-llm application, specifically within the '/api/v/' endpoint and its sub-routes. This flaw allows unauthenticated users to perform destructive actions on the VectorDB, including resetting the database and deleting specific namespaces, without requiring any authorization or permissions. The issue affects all versions up to and including the latest version, with a fix introduced in version 1.0.0. Exploitation of this vulnerability can lead to complete data loss of document embeddings across all workspaces, rendering workspace chats and embeddable chat widgets non-functional. Additionally, attackers can list all namespaces, potentially exposing private workspace names.

Detalhes CVE

Pontuacao CVSS v3.19.4
SeveridadeCRITICAL
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosNONE
Interacao do usuarioNONE
Publicado6/6/2024
Ultima modificacao11/21/2024
Fontenvd
Avistamentos honeypot0

Produtos afetados

mintplexlabs:anythingllm

Fraquezas (CWE)

CWE-863CWE-863

Referencias

https://github.com/mintplex-labs/anything-llm/commit/bf8df60c02b9ddc7ba682809ca12c5637606393a(security@huntr.dev)
https://huntr.com/bounties/8a98a0b4-7886-41c5-8624-fc5c21972e5a(security@huntr.dev)
https://github.com/mintplex-labs/anything-llm/commit/bf8df60c02b9ddc7ba682809ca12c5637606393a(af854a3a-2127-422b-91ae-364da2661108)
https://huntr.com/bounties/8a98a0b4-7886-41c5-8624-fc5c21972e5a(af854a3a-2127-422b-91ae-364da2661108)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.