Vulnerability Description
A JSON Injection vulnerability exists in the `mintplex-labs/anything-llm` application, specifically within the username parameter during the login process at the `/api/request-token` endpoint. The vulnerability arises from improper handling of values, allowing attackers to perform brute force attacks without prior knowledge of the username. Once the password is known, attackers can conduct blind attacks to ascertain the full username, significantly compromising system security.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mintplexlabs | Anythingllm | < 1.0.0 |
Related Weaknesses (CWE)
References
- https://github.com/mintplex-labs/anything-llm/commit/2374939ffb551ab2929d7f9d582Patch
- https://huntr.com/bounties/8af4650d-5955-44a4-86b4-d08e1c862b49ExploitThird Party Advisory
- https://github.com/mintplex-labs/anything-llm/commit/2374939ffb551ab2929d7f9d582Patch
- https://huntr.com/bounties/8af4650d-5955-44a4-86b4-d08e1c862b49ExploitThird Party Advisory
FAQ
What is CVE-2024-3102?
CVE-2024-3102 is a vulnerability with a CVSS score of 5.3 (MEDIUM). A JSON Injection vulnerability exists in the `mintplex-labs/anything-llm` application, specifically within the username parameter during the login process at the `/api/request-token` endpoint. The vul...
How severe is CVE-2024-3102?
CVE-2024-3102 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-3102?
Check the references section above for vendor advisories and patch information. Affected products include: Mintplexlabs Anythingllm.