Exposure of User Password Hash in API Responses
Available publicly on Jun 20 2024 | Available with Premium on May 22 2024
Threat Overview
The vulnerability arises from the application's handling of user objects during login (POST /api/request-token
) and account creation (POST /api/admin/users/new
). Specifically, the server includes the entire user object in the response, which inadvertently exposes the bcrypt password hash to the client-side. Although bcrypt is a robust hashing algorithm, exposing password hashes poses a significant security risk. It could potentially allow attackers to perform offline brute-force or dictionary attacks, especially if the hash is weak or if the attacker has access to significant computational resources.
Attack Scenario
An attacker could exploit this vulnerability by intercepting the API response during the login or account creation process. This could be achieved through a man-in-the-middle (MITM) attack or by compromising the client's environment. Once the attacker has access to the password hash, they could attempt to crack it offline. Successful exploitation would depend on the complexity of the user's password and the attacker's computational resources.
Who is affected
Users of mintplex-labs/anything-llm version 1.5.3 are affected by this vulnerability. Specifically, users who login or create an account are at risk, as their password hashes could be exposed to attackers intercepting the API responses.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.