Vulnerability Description
mintplex-labs/anything-llm is vulnerable to a relative path traversal attack, allowing unauthorized attackers with a default role account to delete files and folders within the filesystem, including critical database files such as 'anythingllm.db'. The vulnerability stems from insufficient input validation and normalization in the handling of file and folder deletion requests. Successful exploitation results in the compromise of data integrity and availability.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mintplexlabs | Anythingllm | < 1.0.0 |
Related Weaknesses (CWE)
References
- https://github.com/mintplex-labs/anything-llm/commit/026849df0224b6a8754f4103530Patch
- https://huntr.com/bounties/fcb4001e-0290-4b78-a2f0-91ee5d20cc72ExploitThird Party Advisory
- https://github.com/mintplex-labs/anything-llm/commit/026849df0224b6a8754f4103530Patch
- https://huntr.com/bounties/fcb4001e-0290-4b78-a2f0-91ee5d20cc72ExploitThird Party Advisory
FAQ
What is CVE-2024-0549?
CVE-2024-0549 is a vulnerability with a CVSS score of 8.1 (HIGH). mintplex-labs/anything-llm is vulnerable to a relative path traversal attack, allowing unauthorized attackers with a default role account to delete files and folders within the filesystem, including c...
How severe is CVE-2024-0549?
CVE-2024-0549 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-0549?
Check the references section above for vendor advisories and patch information. Affected products include: Mintplexlabs Anythingllm.