Mintplex-Labs Anything-LLM Vulnerable to Multiple Security Issues
CVE-2024-3152

8.8HIGH

Key Information:

Vendor: Mintplex-labs
Status: Mintplex-labs/anything-llm
Vendor: CVE Published:; 6 June 2024

🔔 Create Mintplex-labs Vulnerability Alert

What is CVE-2024-3152?

Mintplex Labs' Anything LLM is exposed to a series of vulnerabilities due to inadequate input validation across several critical endpoints, specifically affecting the /request-token, /workspace/:slug/thread/:threadSlug/update, /system/remove-logo, /system/logo, and the collector's /process endpoints. Attackers can exploit these vulnerabilities to escalate their privileges from default user roles to administrative roles, enabling unauthorized reading and deletion of files on the server. Additionally, the vulnerabilities may facilitate Server-Side Request Forgery (SSRF) attacks, which could compromise the internal infrastructure by allowing malicious requests to be sent from the server. The root cause lies in the application's failure to correctly validate user input before executing functions related to Prisma and other essential operations.

Affected Version(s)

mintplex-labs/anything-llm < 1.0.0

References

https://huntr.com/bounties/46034fa0-d623-49f8-8ee8-390390...

https://github.com/mintplex-labs/anything-llm/commit/200b...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 6, 2024
Vulnerability Reserved
Apr 1, 2024