CVE-2024-3102 MEDIUM

CVE-2024-3102: JSON Injection in mintplex-labs/anything-llm

Vendor Mintplex-Labs
Product mintplex-labs/anything-llm
Weakness CWE-307 · Brute force
Published June 6, 2024
Last update November 3, 2024

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

A JSON Injection vulnerability exists in the `mintplex-labs/anything-llm` application, specifically within the username parameter during the login process at the `/api/request-token` endpoint. The vulnerability arises from improper handling of values, allowing attackers to perform brute force attacks without prior knowledge of the username. Once the password is known, attackers can conduct blind attacks to ascertain the full username, significantly compromising system security.

Key dates

02Disclosure timeline

June 6, 2024 CVE published
November 3, 2024 Record updated