CVE-2024-3283

CVSS V2 None CVSS V3 None

Description

A vulnerability in mintplex-labs/anything-llm allows users with manager roles to escalate their privileges to admin roles through a mass assignment issue. The '/admin/system-preferences' API endpoint improperly authorizes manager-level users to modify the 'multi_user_mode' system variable, enabling them to access the '/api/system/enable-multi-user' endpoint and create a new admin user. This issue results from the endpoint accepting a full JSON object in the request body without proper validation of modifiable fields, leading to unauthorized modification of system settings and subsequent privilege escalation.

Overview

CVE ID
CVE-2024-3283

Assigner
@huntr_ai

Vulnerability Status
PUBLISHED

Published Version
2024-04-10T17:07:59.902Z

Last Modified Date
2024-04-16T11:10:29.837Z

Weakness Enumerations

CWE	URL
CWE-915	http://cwe.mitre.org/data/definitions/915.html

References

Reference URL	Reference Tags
https://huntr.com/bounties/a8000cce-0ecb-4820-9cfb-57ba6f4d58a2
https://github.com/mintplex-labs/anything-llm/commit/52fac844221a9b951d08ceb93c4c014e9397b1f2

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-3283
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3283

History

Created	Old Value	New Value	Data Type	Notes
2024-06-23 23:49:45				Added to TrackCVE