Unauthorized Administrative Access via Improper Input Validation Vulnerability
CVE-2024-3101

7.2HIGH

Key Information:

Vendor

Mintplex-labs

Status
Mintplex-labs/anything-llm
Vendor
CVE Published:
10 April 2024

What is CVE-2024-3101?

An improper input validation flaw in Anything-LLM enables attackers to escalate privileges by disabling the 'Multi-User Mode'. By crafting a malicious curl request with the 'multi_user_mode' parameter set to false, attackers can deactivate this mode. This manipulation permits the creation of a new admin user without a password, resulting in unauthorized administrative access to the application.

Affected Version(s)

mintplex-labs/anything-llm < 1.0.0

References

https://huntr.com/bounties/c114c03e-3348-450f-88f7-538502...
https://github.com/mintplex-labs/anything-llm/commit/52fa...

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2024-3101 : Unauthorized Administrative Access via Improper Input Validation Vulnerability