CVE-2024-3102

CVSS V2 None CVSS V3 None

Description

A JSON Injection vulnerability exists in the `mintplex-labs/anything-llm` application, specifically within the username parameter during the login process at the `/api/request-token` endpoint. The vulnerability arises from improper handling of values, allowing attackers to perform brute force attacks without prior knowledge of the username. Once the password is known, attackers can conduct blind attacks to ascertain the full username, significantly compromising system security.

Overview

CVE ID
CVE-2024-3102

Assigner
@huntr_ai

Vulnerability Status
PUBLISHED

Published Version
2024-06-06T18:19:23.450Z

Last Modified Date
2024-06-20T13:57:49.007Z

Weakness Enumerations

CWE	URL
CWE-229	http://cwe.mitre.org/data/definitions/229.html

References

Reference URL	Reference Tags
https://huntr.com/bounties/8af4650d-5955-44a4-86b4-d08e1c862b49
https://github.com/mintplex-labs/anything-llm/commit/2374939ffb551ab2929d7f9d5827fe6597fa8caa

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-3102
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3102

History

Created	Old Value	New Value	Data Type	Notes
2024-06-23 23:58:47				Added to TrackCVE