Sightline

Critical

anything-llm

Sensitive Information Exposure via Export Feature

A vulnerability in Anything-LLM allows default and manager users to export and access all system database information, including usernames, passwords, and API keys. This issue affects the latest version of the software and was patched in version 1.0.0.

Available publicly on Mar 03 2024 | Available with Premium on Jan 19 2024

CVE:

CVE-2024-0765

CWE:

200:Exposure of Sensitive Information to an Unauthorized Actor

CVSS:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Credit:

ranjit-git

Assess Detect

Premium

Remediate

Remediation Steps

Update to version 1.0.0 of Anything-LLM to patch the vulnerability.
Review and restrict export feature access to only those roles that require it for legitimate purposes.
Audit logs for unusual export activity that may indicate exploitation attempts.
Regularly rotate sensitive credentials and API keys to minimize the impact of potential exposure.
Implement additional layers of access control and monitoring around sensitive functionalities to prevent similar vulnerabilities.

Patch Details

Fixed Version: 1.0.0
Patch Commit: https://github.com/mintplex-labs/anything-llm/commit/08d33cfd8fc47c5052b6ea29597c964a9da641e2

Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have 436- related security advisories that are available with Sightline Premium.