| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
| anything-llm 信息泄露漏洞 | 20 Mar 202500:00 | – | cnnvd | |
| AnythingLLM Information Disclosure Vulnerability | 26 Nov 202400:00 | – | cnvd | |
| CVE-2024-6842 | 20 Mar 202510:10 | – | cve | |
| CVE-2024-6842 Exposure of Sensitive Information in mintplex-labs/anything-llm | 20 Mar 202510:10 | – | cvelist | |
| CVE-2024-6842 | 20 Mar 202510:15 | – | nvd | |
| PT-2025-12169 · Unknown · Anything-Llm | 20 Mar 202500:00 | – | ptsecurity | |
| CVE-2024-6842 | 22 Mar 202511:43 | – | redhatcve | |
| CVE-2024-6842 Exposure of Sensitive Information in mintplex-labs/anything-llm | 20 Mar 202510:10 | – | vulnrichment | |
| AnythingLLM API Sensitive Information Disclosure | 29 Jul 202400:00 | – | nessus |
id: CVE-2024-6842
info:
name: AnythingLLM - Information Disclosure
author: ingbunga,rahaaaiii,asteria121,breakpack,gy741
severity: high
description: |
AnythingLLM suffers from an information disclosure vulnerability through the `/api/setup-complete` API endpoint. By accessing this endpoint, a remote and unauthenticated attacker can access sensitive configuration of the target AnythingLLM instance. This detection is included in the AI and LLM category.
remediation: |
Update AnythingLLM to the latest version and implement proper authentication for the setup-complete API endpoint.
impact: |
An attacker can use the vulnerability to obtain device administrator rights.
reference:
- https://huntr.com/bounties/cd911fc7-ac6b-4974-acd0-9cc926fa8d9e
- https://nvd.nist.gov/vuln/detail/CVE-2024-6842
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2024-6842
cwe-id: CWE-200
epss-score: 0.29187
epss-percentile: 0.97935
metadata:
max-request: 1
verified: true
vendor: Mintplex Labs
product: anything-llm
shodan-query: title:"AnythingLLM"
tags: cve,cve2024,unauth,exposure,anything-llm,mintplex-Labs,vuln,ai
http:
- method: GET
path:
- "{{BaseURL}}/api/setup-complete"
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'contains_all(body, "AuthToken\":true", "ApiKey\":true")'
- 'contains(header, "application/json")'
- 'status_code == 200'
condition: and
- type: word
part: body
words:
- '"AgentGoogleSearchEngineId":'
- -"AgentGoogleSearchEngineKey":'
- '"AgentSerperApiKey":'
- '"AgentBingSearchApiKey":'
condition: or
# digest: 4b0a00483046022100f24b915927c508ebcea62057d28ecc88686ad14d83194b9616ac60994c166acb022100ace4d2ee4fee5a1126c1dd00fbed63bdf30597ce5adc049dd71ad99a1ad79abd:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation