Lucene search

GoogleOSV:CVE-2024-0795

HistoryMar 02, 2024 - 10:15 p.m.

CVE-2024-0795

2024-03-0222:15:49

Google

osv.dev

cve-2024-0795

backend authentication bypass

elevated privileges

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

Low

EPSS

Percentile

9.0%

JSON

If an attacked was given access to an instance with the admin or manager role there is no backend authentication that would prevent the attacked from creating a new user with an admin role and then be able to use this new account to have elevated privileges on the instance

References

github.com/mintplex-labs/anything-llm/commit/9a237db3d1f66cdbcf5079599258f5fb251c5564

huntr.com/bounties/f69e3307-7b44-4776-ac60-2990990723ec

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

Low

EPSS

Percentile

9.0%

JSON

Related for OSV:CVE-2024-0795