Path Traversal Vulnerability in Anything-LLM by Mintplex Labs

CVE-2024-13059

What is CVE-2024-13059?

CVE-2024-13059 is a notable vulnerability found in the Anything-LLM product developed by Mintplex Labs. This software is utilized for natural language processing and machine learning applications. The vulnerability arises from improper handling of non-ASCII filenames by the multer library, allowing path traversal. Such a flaw permits authenticated users, specifically those with manager or admin roles, to manipulate file write permissions on the server. Consequently, this could lead to unauthorized file manipulation and potentially remote code execution, thereby jeopardizing the integrity and security of an organization's systems and data.

Technical Details

The vulnerability lies in the file upload process managed by the multer library, where it fails to adequately sanitize input filenames. By exploiting this flaw, an attacker can introduce directory traversal sequences (represented by '../'), enabling them to write files to unauthorized directories on the server. This manipulation can result in files being written in critical areas that may allow the execution of arbitrary code if the input is crafted maliciously. The vulnerability affects versions prior to 1.3.1 of Anything-LLM.

Potential impact of CVE-2024-13059

1. Arbitrary File Write: Attackers can write files to any location on the server, which could overwrite important system files or introduce malicious scripts that compromise the server’s integrity.

2. Remote Code Execution: Successful exploitation can enable attackers to execute arbitrary code on the server, leading to full control of the affected system, data breaches, and other forms of malware deployment.

3. Unauthorized Access: With the ability to manipulate files and execute code, attackers could facilitate unauthorized access to confidential information, compromising sensitive organizational data and potentially affecting overall business operations.

References