Anonymous Access to Import Endpoint Leads to Database Deletion/Spoofing
An improper access control vulnerability in the latest version of the software allows an anonymous attacker to import their own database file, leading to the deletion or spoofing of the `anythingllm.db` file. This issue was patched in version 1.0.0.
Available publicly on Mar 01 2024
Remediation Steps
- Update to version 1.0.0 or later.
- Implement proper access control on the data import endpoint to ensure only authorized users can upload database files.
- Regularly audit and monitor access logs for any unauthorized attempts to access the import endpoint.
- Consider implementing additional security measures such as file integrity checks to detect unauthorized modifications to the database file.
Patch Details
- Fixed Version: 1.0.0
- Patch Commit: https://github.com/mintplex-labs/anything-llm/commit/08d33cfd8fc47c5052b6ea29597c964a9da641e2
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.