CVE-2024-3028 HIGH

CVE-2024-3028: Improper Input Validation in mintplex-labs/anything-llm

Vendor Mintplex-Labs

Product mintplex-labs/anything-llm

Weakness CWE-20 · Input validation

Published April 16, 2024

Last update September 6, 2024

View on NVD All CVEs

CVSS base score

7.2/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

mintplex-labs/anything-llm is vulnerable to improper input validation, allowing attackers to read and delete arbitrary files on the server. By manipulating the 'logo_filename' parameter in the 'system-preferences' API endpoint, an attacker can construct requests to read sensitive files or the application's '.env' file, and even delete files by setting the 'logo_filename' to the path of the target file and invoking the 'remove-logo' API endpoint. This vulnerability is due to the lack of proper sanitization of user-supplied input.

Key dates

02Disclosure timeline

April 16, 2024 CVE published

September 6, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-3028

Related vulnerabilities

Identifiers

CVE CVE-2024-3028

CWE CWE-20

CVSS 7.2 / HIGH

Affected versions