CVE-2024-3101 MEDIUM

CVE-2024-3101: Privilege Escalation via Improper Input Validation in mintplex-labs/anything-llm

Vendor Mintplex-Labs
Product mintplex-labs/anything-llm
Weakness CWE-20 · Input validation
Published April 10, 2024
Last update August 21, 2024
View on NVD All CVEs

CVSS base score

6.7/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L

What the vulnerability does

01Description

In mintplex-labs/anything-llm, an improper input validation vulnerability allows attackers to escalate privileges by deactivating 'Multi-User Mode'. By sending a specially crafted curl request with the 'multi_user_mode' parameter set to false, an attacker can deactivate 'Multi-User Mode'. This action permits the creation of a new admin user without requiring a password, leading to unauthorized administrative access.

Key dates

02Disclosure timeline

April 10, 2024 CVE published
August 21, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2021-31376 Junos OS: ACX Series: Packet Forwarding Engine manager (FXPC) process crashes when processing DHCPv6 packets CVE-2024-31449 Lua library commands may lead to stack overflow and RCE in Redis CVE-2021-29468 Arbitrary code execution when checking out an attacker-controlled Git branch CVE-2026-49234 Routinator crashes on specifically crafted ASN strings in the API CVE-2020-3205 Cisco IOS Software for Cisco Industrial Routers Virtual Device Server Inter-VM Channel Command Injection Vulnerability