CVE-2024-0455

2024-02-2616:27:50

CWE-918

[email protected]

web.nvd.nist.gov

web scraper

anythingllm

unauthorized access

ec2 instance

security credentials

iptable

firewall rule

CVSS3

9.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

AI Score

9.4

Confidence

High

EPSS

Percentile

9.0%

JSON

The inclusion of the web scraper for AnythingLLM means that any user with the proper authorization level (manager, admin, and when in single user) could put in the URL

http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance

which is a special IP and URL that resolves only when the request comes from within an EC2 instance. This would allow the user to see the connection/secret credentials for their specific instance and be able to manage it regardless of who deployed it.

The user would have to have pre-existing knowledge of the hosting infra which the target instance is deployed on, but if sent - would resolve if on EC2 and the proper iptable or firewall rule is not configured for their setup.