CVE-2024-7783

CVSS V2 None CVSS V3 None

Description

mintplex-labs/anything-llm version latest contains a vulnerability where sensitive information, specifically a password, is improperly stored within a JWT (JSON Web Token) used as a bearer token in single user mode. When decoded, the JWT reveals the password in plaintext. This improper storage of sensitive information poses significant security risks, as an attacker who gains access to the JWT can easily decode it and retrieve the password. The issue is fixed in version 1.0.3.

Overview

CVE ID
CVE-2024-7783

Assigner
@huntr_ai

Vulnerability Status
PUBLISHED

Published Version
2024-10-29T12:49:34.965Z

Last Modified Date
2024-10-29T13:27:53.212Z

Weakness Enumerations

CWE	URL
CWE-312	http://cwe.mitre.org/data/definitions/312.html

References

Reference URL	Reference Tags
https://huntr.com/bounties/20e9950f-ad41-4d6b-8bd0-c7f7051695b3
https://github.com/mintplex-labs/anything-llm/commit/4430ddb05988470bc8f0479e7d07db1f7d4646ba

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-7783
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7783

History

Created	Old Value	New Value	Data Type	Notes
2024-10-30 13:17:54				Added to TrackCVE