CVE-2024-6842 — HIGH (7.5) — White Hats Nepal

Vulnerability Description

In version 1.5.5 of mintplex-labs/anything-llm, the `/setup-complete` API endpoint allows unauthorized users to access sensitive system settings. The data returned by the `currentSettings` function includes sensitive information such as API keys for search engines, which can be exploited by attackers to steal these keys and cause loss of user assets.

CVSS Score

7.5

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Mintplexlabs	Anythingllm	1.5.5

Related Weaknesses (CWE)

CWE-306

References

https://github.com/mintplex-labs/anything-llm/commit/8b1ceb30c159cf3a10efa16275bPatch
https://huntr.com/bounties/cd911fc7-ac6b-4974-acd0-9cc926fa8d9eExploitThird Party Advisory

FAQ

What is CVE-2024-6842?

CVE-2024-6842 is a vulnerability with a CVSS score of 7.5 (HIGH). In version 1.5.5 of mintplex-labs/anything-llm, the `/setup-complete` API endpoint allows unauthorized users to access sensitive system settings. The data returned by the `currentSettings` function in...

How severe is CVE-2024-6842?

CVE-2024-6842 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-6842?

Check the references section above for vendor advisories and patch information. Affected products include: Mintplexlabs Anythingllm.