Vulnerability Description
A vulnerability in mintplex-labs/anything-llm allows for a denial of service (DoS) condition through the modification of a user's `id` attribute to a value of 0. This issue affects the current version of the software, with the latest commit id `57984fa85c31988b2eff429adfc654c46e0c342a`. By exploiting this vulnerability, an attacker, with manager or admin privileges, can render a chosen account completely inaccessible. The application's mechanism for suspending accounts does not provide a means to reverse this condition through the UI, leading to uncontrolled resource consumption. The vulnerability is introduced due to the lack of input validation and sanitization in the user modification endpoint and the middleware's token validation logic. This issue has been addressed in version 1.0.0 of the software.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mintplexlabs | Anythingllm | < 1.0.0 |
Related Weaknesses (CWE)
References
- https://github.com/mintplex-labs/anything-llm/commit/1b35bcbeab10b77e6dbd263cceePatch
- https://huntr.com/bounties/a5f45596-0aef-49e0-9f7d-63f1955a1552ExploitThird Party Advisory
- https://github.com/mintplex-labs/anything-llm/commit/1b35bcbeab10b77e6dbd263cceePatch
- https://huntr.com/bounties/a5f45596-0aef-49e0-9f7d-63f1955a1552ExploitThird Party Advisory
FAQ
What is CVE-2024-4284?
CVE-2024-4284 is a vulnerability with a CVSS score of 4.9 (MEDIUM). A vulnerability in mintplex-labs/anything-llm allows for a denial of service (DoS) condition through the modification of a user's `id` attribute to a value of 0. This issue affects the current version...
How severe is CVE-2024-4284?
CVE-2024-4284 has been rated MEDIUM with a CVSS base score of 4.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-4284?
Check the references section above for vendor advisories and patch information. Affected products include: Mintplexlabs Anythingllm.