Remote Code Execution Vulnerability in anything-llm Could Lead to Code Execution and Data Modification
CVE-2024-3104

9.8CRITICAL

Key Information:

Vendor: Mintplex-labs
Status: Mintplex-labs/anything-llm
Vendor: CVE Published:; 6 June 2024

Summary

A vulnerability exists in Anything-LLM from Mintplex Labs due to improper handling of environment variables, specifically in the /api/system/update-env endpoint. Attackers can exploit this weakness to inject arbitrary environment variables, potentially leading to the execution of arbitrary code on the host system running Anything-LLM. This vulnerability is present in the latest version of the product, as identified by commit fde905aac1812b84066ff72e5f2f90b56d4c3a59. Successful exploitation may allow attackers to read and modify data accessible to the user operating the service, which could result in wider security implications including denial of service. The issue has been resolved in version 1.0.0.

Affected Version(s)

mintplex-labs/anything-llm < 1.0.0

References

https://huntr.com/bounties/4f2fcb45-5828-4bec-985a-9d3a0e...

https://github.com/mintplex-labs/anything-llm/commit/bfed...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 6, 2024
Vulnerability Reserved
Mar 29, 2024