Sensitive Information Exposure via Export Feature
A vulnerability in Anything-LLM allows default and manager users to export and access all system database information, including usernames, passwords, and API keys. This issue affects the latest version of the software and was patched in version 1.0.0.
Available publicly on Mar 03 2024 | Available with Premium on Jan 19 2024
Remediation Steps
- Update to version 1.0.0 of Anything-LLM to patch the vulnerability.
- Review and restrict export feature access to only those roles that require it for legitimate purposes.
- Audit logs for unusual export activity that may indicate exploitation attempts.
- Regularly rotate sensitive credentials and API keys to minimize the impact of potential exposure.
- Implement additional layers of access control and monitoring around sensitive functionalities to prevent similar vulnerabilities.
Patch Details
- Fixed Version: 1.0.0
- Patch Commit: https://github.com/mintplex-labs/anything-llm/commit/08d33cfd8fc47c5052b6ea29597c964a9da641e2
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.