Lucene search

@huntr_aiCVELIST:CVE-2024-0439

HistoryFeb 25, 2024 - 7:48 p.m.

CVE-2024-0439 User can manually send request at manager permission to modify system configurations

2024-02-2519:48:56

CWE-269

@huntr_ai

www.cve.org

cve-2024-0439

user permission

system configurations

http request

patched

manager role

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

0.0004 Low

EPSS

Percentile

9.2%

JSON

As a manager, you should not be able to modify a series of settings. In the UI this is indeed hidden as a convenience for the role since most managers would not be savvy enough to modify these settings. They can use their token to still modify those settings though through a standard HTTP request

While this is not a critical vulnerability, it does indeed need to be patched to enforce the expected permission level.

CNA Affected

[
  {
    "vendor": "mintplex-labs",
    "product": "mintplex-labs/anything-llm",
    "versions": [
      {
        "version": "unspecified",
        "lessThan": "1.0.0",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  }
]

References

github.com/mintplex-labs/anything-llm/commit/7200a06ef07d92eef5f3c4c8be29824aa001d688

huntr.com/bounties/7fc1b78e-7faf-4f40-961d-61e53dac81ce

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

0.0004 Low

EPSS

Percentile

9.2%

JSON

Related for CVELIST:CVE-2024-0439