Unauthorized Access to VectorDB: Complete Data Loss Possible
CVE-2024-3033

9.4CRITICAL

Key Information:

Vendor: Mintplex-labs
Status: Mintplex-labs/anything-llm
Vendor: CVE Published:; 6 June 2024

🔔 Create Mintplex-labs Vulnerability Alert

What is CVE-2024-3033?

An improper authorization vulnerability exists in the mintplex-labs Anything-LLM application specifically within the '/api/v/' endpoint and its sub-routes. This vulnerability enables unauthenticated users to execute destructive actions on the VectorDB, such as resetting the database and deleting certain namespaces, without needing any form of authorization or permissions. The flaw affects all versions of the application up to and including the latest release. Exploiting this issue can lead to extensive data loss of document embeddings across all workspaces, thereby disabling workspace chats and embeddable chat widgets. Additionally, attackers have the capability to list all namespaces, potentially exposing private workspace names.

Affected Version(s)

mintplex-labs/anything-llm < 1.0.0

References

https://huntr.com/bounties/8a98a0b4-7886-41c5-8624-fc5c21...

https://github.com/mintplex-labs/anything-llm/commit/bf8d...

CVSS V3.1

Score:

9.4

Severity:

CRITICAL

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 6, 2024
Vulnerability Reserved
Mar 27, 2024