CVE-2024-0404

A mass assignment vulnerability exists in the `/api/invite/:code` endpoint of the mintplex-labs/anything-llm repository, allowing unauthorized creation of high-privileged accounts. By intercepting and modifying the HTTP request during the account creation process via an invitation link, an attacker can add a `role` property with `admin` value, thereby gaining administrative access. This issue arises due to the lack of property allowlisting and blocklisting, enabling the attacker to exploit the system and perform actions as an administrator.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/mintplex-labs/anything-llm/commit/8cd3a92c660b202655d99bee90b2864694c99946
https://huntr.com/bounties/b4355bae-766a-4bb0-942b-607bc491b23d

Configurations

No configuration.

History

No history.

Information

Published : 2024-04-16 00:15

Updated : 2024-04-16 13:24

NVD link : CVE-2024-0404

Mitre link : CVE-2024-0404

CVE.ORG link : CVE-2024-0404

JSON object : View

Products Affected

No product.

CWE

CWE-915

Improperly Controlled Modification of Dynamically-Determined Object Attributes

{"id": "CVE-2024-0404", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security@huntr.dev", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2024-04-16T00:15:07.387", "references": [{"url": "https://github.com/mintplex-labs/anything-llm/commit/8cd3a92c660b202655d99bee90b2864694c99946", "source": "security@huntr.dev"}, {"url": "https://huntr.com/bounties/b4355bae-766a-4bb0-942b-607bc491b23d", "source": "security@huntr.dev"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security@huntr.dev", "description": [{"lang": "en", "value": "CWE-915"}]}], "descriptions": [{"lang": "en", "value": "A mass assignment vulnerability exists in the `/api/invite/:code` endpoint of the mintplex-labs/anything-llm repository, allowing unauthorized creation of high-privileged accounts. By intercepting and modifying the HTTP request during the account creation process via an invitation link, an attacker can add a `role` property with `admin` value, thereby gaining administrative access. This issue arises due to the lack of property allowlisting and blocklisting, enabling the attacker to exploit the system and perform actions as an administrator."}, {"lang": "es", "value": "Existe una vulnerabilidad de asignaci\u00f3n masiva en el endpoint `/api/invite/:code` del repositorio mintplex-labs/anything-llm, lo que permite la creaci\u00f3n no autorizada de cuentas con altos privilegios. Al interceptar y modificar la solicitud HTTP durante el proceso de creaci\u00f3n de la cuenta a trav\u00e9s de un enlace de invitaci\u00f3n, un atacante puede agregar una propiedad \"rol\" con valor \"admin\", obteniendo as\u00ed acceso administrativo. Este problema surge debido a la falta de listas de propiedades permitidas y bloqueadas, lo que permite al atacante explotar el sistema y realizar acciones como administrador."}], "lastModified": "2024-04-16T13:24:07.103", "sourceIdentifier": "security@huntr.dev"}