Lucene search

[email protected]CVE-2024-0439

HistoryFeb 26, 2024 - 4:27 p.m.

CVE-2024-0439

2024-02-2616:27:50

CWE-269

[email protected]

web.nvd.nist.gov

manager

settings

http request

security patch

permission level

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

6.8 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.2%

JSON

As a manager, you should not be able to modify a series of settings. In the UI this is indeed hidden as a convenience for the role since most managers would not be savvy enough to modify these settings. They can use their token to still modify those settings though through a standard HTTP request

While this is not a critical vulnerability, it does indeed need to be patched to enforce the expected permission level.

CNA Affected

[
  {
    "vendor": "mintplex-labs",
    "product": "mintplex-labs/anything-llm",
    "versions": [
      {
        "version": "unspecified",
        "lessThan": "1.0.0",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  }
]

References

github.com/mintplex-labs/anything-llm/commit/7200a06ef07d92eef5f3c4c8be29824aa001d688

huntr.com/bounties/7fc1b78e-7faf-4f40-961d-61e53dac81ce

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

6.8 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.2%

JSON

Related for CVE-2024-0439

cvelist1 prion1 osv1 nvd1