CVE-2024-3033

An improper authorization vulnerability exists in the mintplex-labs/anything-llm application, specifically within the '/api/v/' endpoint and its sub-routes. This flaw allows unauthenticated users to perform destructive actions on the VectorDB, including resetting the database and deleting specific namespaces, without requiring any authorization or permissions. The issue affects all versions up to and including the latest version, with a fix introduced in version 1.0.0. Exploitation of this vulnerability can lead to complete data loss of document embeddings across all workspaces, rendering workspace chats and embeddable chat widgets non-functional. Additionally, attackers can list all namespaces, potentially exposing private workspace names.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/mintplex-labs/anything-llm/commit/bf8df60c02b9ddc7ba682809ca12c5637606393a
https://huntr.com/bounties/8a98a0b4-7886-41c5-8624-fc5c21972e5a

Configurations

No configuration.

History

No history.

Information

Published : 2024-06-06 18:15

Updated : 2024-06-07 14:56

NVD link : CVE-2024-3033

Mitre link : CVE-2024-3033

CVE.ORG link : CVE-2024-3033

JSON object : View

Products Affected

No product.

CWE

CWE-285

Improper Authorization

{"id": "CVE-2024-3033", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security@huntr.dev", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2024-06-06T18:15:17.040", "references": [{"url": "https://github.com/mintplex-labs/anything-llm/commit/bf8df60c02b9ddc7ba682809ca12c5637606393a", "source": "security@huntr.dev"}, {"url": "https://huntr.com/bounties/8a98a0b4-7886-41c5-8624-fc5c21972e5a", "source": "security@huntr.dev"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security@huntr.dev", "description": [{"lang": "en", "value": "CWE-285"}]}], "descriptions": [{"lang": "en", "value": "An improper authorization vulnerability exists in the mintplex-labs/anything-llm application, specifically within the '/api/v/' endpoint and its sub-routes. This flaw allows unauthenticated users to perform destructive actions on the VectorDB, including resetting the database and deleting specific namespaces, without requiring any authorization or permissions. The issue affects all versions up to and including the latest version, with a fix introduced in version 1.0.0. Exploitation of this vulnerability can lead to complete data loss of document embeddings across all workspaces, rendering workspace chats and embeddable chat widgets non-functional. Additionally, attackers can list all namespaces, potentially exposing private workspace names."}, {"lang": "es", "value": "Existe una vulnerabilidad de autorizaci\u00f3n inadecuada en la aplicaci\u00f3n mintplex-labs/anything-llm, espec\u00edficamente dentro del endpoint '/api/v/' y sus subrutas. Esta falla permite a usuarios no autenticados realizar acciones destructivas en VectorDB, incluido restablecer la base de datos y eliminar espacios de nombres espec\u00edficos, sin requerir autorizaci\u00f3n ni permisos. El problema afecta a todas las versiones hasta la \u00faltima versi\u00f3n incluida, con una soluci\u00f3n introducida en la versi\u00f3n 1.0.0. La explotaci\u00f3n de esta vulnerabilidad puede provocar la p\u00e9rdida completa de datos de documentos incrustados en todos los espacios de trabajo, lo que hace que los chats del espacio de trabajo y los widgets de chat incrustados no funcionen. Adem\u00e1s, los atacantes pueden enumerar todos los espacios de nombres, lo que podr\u00eda exponer los nombres de los espacios de trabajo privados."}], "lastModified": "2024-06-07T14:56:05.647", "sourceIdentifier": "security@huntr.dev"}