Improper Storage of Sensitive Information in Bearer Token
The latest version of the mintplex-labs/anything-llm project contains a vulnerability where a password is improperly stored within a JWT used as a bearer token. This issue was patched in version 1.0.3.
Available publicly on Oct 02 2024 | Available with Premium on Aug 14 2024
Remediation Steps
- Update to version 1.0.3 or later.
- Store a reference to the sensitive information in the JWT (e.g., a user ID or token ID) and use this reference to look up the sensitive information on the server side.
- Store sensitive information securely on the server side using encryption mechanisms and ensure that it is not included in JWTs.
Patch Details
- Fixed Version: 1.0.3
- Patch Commit: https://github.com/mintplex-labs/anything-llm/commit/4430ddb05988470bc8f0479e7d07db1f7d4646ba
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.