CVE-2024-4284

CVSS V2 None CVSS V3 None

Description

A vulnerability in mintplex-labs/anything-llm allows for a denial of service (DoS) condition through the modification of a user's `id` attribute to a value of 0. This issue affects the current version of the software, with the latest commit id `57984fa85c31988b2eff429adfc654c46e0c342a`. By exploiting this vulnerability, an attacker, with manager or admin privileges, can render a chosen account completely inaccessible. The application's mechanism for suspending accounts does not provide a means to reverse this condition through the UI, leading to uncontrolled resource consumption. The vulnerability is introduced due to the lack of input validation and sanitization in the user modification endpoint and the middleware's token validation logic. This issue has been addressed in version 1.0.0 of the software.

Overview

CVE ID
CVE-2024-4284

Assigner
@huntr_ai

Vulnerability Status
PUBLISHED

Published Version
2024-05-19T22:23:48.278Z

Last Modified Date
2024-06-04T17:55:29.452Z

Weakness Enumerations

CWE	URL
CWE-400	http://cwe.mitre.org/data/definitions/400.html

References

Reference URL	Reference Tags
https://huntr.com/bounties/a5f45596-0aef-49e0-9f7d-63f1955a1552
https://github.com/mintplex-labs/anything-llm/commit/1b35bcbeab10b77e6dbd263cceecf1b965a40789

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-4284
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4284

History

Created	Old Value	New Value	Data Type	Notes
2024-06-23 22:07:47				Added to TrackCVE