Denial of Service Vulnerability in User Management Panel
CVE-2024-5216

7.5HIGH

Key Information:

Vendor: Mintplex-labs
Status: Mintplex-labs/anything-llm
Vendor: CVE Published:; 25 June 2024

Summary

A vulnerability in the Anything-LLM application from Mintplex Labs permits a Denial of Service due to the absence of controls on username length. This flaw allows attackers to create user accounts with excessively long usernames, resulting in significant resource consumption that can render the user management panel unresponsive. Consequently, administrators face challenges in executing critical user management tasks such as editing, suspending, or deleting user accounts. The repercussions of this vulnerability lead to administrative paralysis, compromising the overall security of the system and disrupting normal operations. As a result, malicious actors can maintain their presence indefinitely, negatively impacting system performance and security integrity.

Affected Version(s)

mintplex-labs/anything-llm < 1.0.0

References

https://huntr.com/bounties/8ec14991-ee35-493d-a8d3-21a1cf...

https://github.com/mintplex-labs/anything-llm/commit/3ef0...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 25, 2024
Vulnerability Reserved
May 22, 2024

Collectors

NVD DatabaseMitre Database