High

anything-llm

Privilege Escalation from Manager to Admin

A privilege escalation vulnerability in the latest version of the software allows users with the 'manager' role to escalate their privileges to 'admin'. This issue was patched in version 1.0.0.

Available publicly on Feb 25 2024

7.1

CVSS:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Credit:

dastaj
Threat Overview

The vulnerability exists in the endpoint /api/admin/user/:id, which allows users with the 'manager' role to change their account permissions to the 'admin' role. The application does not differentiate between 'admin' and 'manager' roles, allowing a manager to escalate their privileges to admin. This can lead to unauthorized access to critical application settings such as LLM Preference, Embedding Preference, Vector Database, and Data Connectors.

Attack Scenario

An attacker with 'manager' role intercepts the HTTP request when updating their account details and modifies the role to 'admin'. After logging out and logging back in, the attacker gains admin privileges and can perform administrative actions within the application.

Who is affected

Users of the latest version of the software who have accounts with 'manager' roles are affected. This includes any organization using the software where managers have access to the user management endpoint.

Technical Report
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.