CVE-2024-10109 — HIGH (8.3)

Q: How severe is CVE-2024-10109?

CVE-2024-10109 has been rated HIGH with a CVSS base score of 8.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-10109?

Check the references section above for vendor advisories and patch information. Affected products include: Mintplexlabs Anythingllm.

Vulnerability Description

A vulnerability in the mintplex-labs/anything-llm repository, as of commit 5c40419, allows low privilege users to access the sensitive API endpoint "/api/system/custom-models". This access enables them to modify the model's API key and base path, leading to potential API key leakage and denial of service on chats.

CVSS Score

8.3

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

LOW

Availability

HIGH

Affected Products

Vendor	Product	Versions
Mintplexlabs	Anythingllm	< 1.3.1

Related Weaknesses (CWE)

CWE-863

References

https://github.com/mintplex-labs/anything-llm/commit/8d302c3f670c582b09d47e96132Patch
https://huntr.com/bounties/ad3c9e76-679d-4775-b203-96947ff73551ExploitThird Party Advisory

FAQ

What is CVE-2024-10109?

CVE-2024-10109 is a vulnerability with a CVSS score of 8.3 (HIGH). A vulnerability in the mintplex-labs/anything-llm repository, as of commit 5c40419, allows low privilege users to access the sensitive API endpoint "/api/system/custom-models". This access enables the...

How severe is CVE-2024-10109?

CVE-2024-10109 has been rated HIGH with a CVSS base score of 8.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-10109?

Check the references section above for vendor advisories and patch information. Affected products include: Mintplexlabs Anythingllm.