Lucene search

K
cve@huntr_aiCVE-2024-0436
HistoryFeb 26, 2024 - 4:27 p.m.

CVE-2024-0436

2024-02-2616:27:50
CWE-764
@huntr_ai
web.nvd.nist.gov
76
cve-2024-0436
password protection
timing attack
nvd

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

AI Score

7

Confidence

High

EPSS

0

Percentile

9.0%

Theoretically, it would be possible for an attacker to brute-force the password for an instance in single-user password protection mode via a timing attack given the linear nature of the !== used for comparison.

The risk is minified by the additional overhead of the request, which varies in a non-constant nature making the attack less reliable to execute

Affected configurations

Vulners
Node
mintplex-labsmintplex-labs\/anything-llmMatch1.0.0
VendorProductVersionCPE
mintplex-labsmintplex-labs\/anything-llm1.0.0cpe:2.3:a:mintplex-labs:mintplex-labs\/anything-llm:1.0.0:*:*:*:*:*:*:*

CNA Affected

[
  {
    "vendor": "mintplex-labs",
    "product": "mintplex-labs/anything-llm",
    "versions": [
      {
        "version": "unspecified",
        "lessThan": "1.0.0",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  }
]

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

AI Score

7

Confidence

High

EPSS

0

Percentile

9.0%

Related for CVE-2024-0436