High

anything-llm

Privilege Escalation from Manager to Admin

A privilege escalation vulnerability in the latest version of the software allows users with the 'manager' role to escalate their privileges to 'admin'. This issue was patched in version 1.0.0.

Available publicly on Feb 25 2024

7.1

CVE:

CVE-2024-3278

CWE:

284:Improper Access Control

CVSS:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Credit:

dastaj
AssessDetect

Unavailable

Remediate
Remediation Steps
  • Implement a check to ensure that users cannot assign a role higher than their own.
  • Update the code to differentiate between 'admin' and 'manager' roles.
  • Patch the software to version 1.0.0 or later.
  • Review and update role-based access controls to ensure proper privilege separation.
Patch Details
  • Fixed Version: 1.0.0
  • Patch Commit: https://github.com/mintplex-labs/anything-llm/commit/62cea075995b54ebea52b6a7a3a6e6f936f85343
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.