Threat Overview
The vulnerability stems from improper handling of upload requests in the upload-link
endpoint. By sending a request with either an empty body and a 'Content-Length: 0' header or a non-empty body with a mismatched 'Content-Length' value, an attacker can cause the server to shut down. This indicates a failure in the application to properly validate and handle incoming data, leading to uncontrolled resource consumption and ultimately, a DOS condition.
Attack Scenario
An attacker, after obtaining at least a 'Manager' role within the application, sends a specially crafted request to the upload-link
endpoint. This request either contains an empty body with a 'Content-Length: 0' header or a non-empty body with a 'Content-Length' header value that does not match the actual size of the body. The server, unable to properly process this request, shuts down, resulting in a denial of service for all legitimate users.
Who is affected
All users of the AnythingLLM application prior to version 1.0.0 are affected by this vulnerability, as it allows an attacker with sufficient privileges to shut down the server, denying service to legitimate users.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.