High

anything-llm

Timing Attack Vulnerability in Authentication Token Verification

A timing attack vulnerability was identified in the authentication token verification process of Mintplex-Labs/anything-llm, affecting the latest version prior to 1.0.0. The issue, patched in version 1.0.0, allowed attackers to potentially guess the authentication token due to insufficient password checking.

Available publicly on Feb 25 2024

7.1

CVSS:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Credit:

ranjit-git
Threat Overview

The vulnerability stems from the way the software compares the provided password with the expected authentication token. Specifically, the comparison operation is susceptible to timing attacks, where an attacker can measure the time it takes for the operation to complete. Small differences in this timing can be used to infer information about the authentication token, eventually allowing an attacker to guess it. This type of vulnerability is significant because it can be exploited remotely without any physical access to the target system.

Attack Scenario

An attacker begins by sending numerous authentication requests to the server, each time with a slightly different authentication token. By carefully measuring the time it takes for the server to respond to each request, the attacker can deduce information about the correct authentication token. Over time, and with enough requests, the attacker can systematically guess the correct token, thereby gaining unauthorized access to the system.

Who is affected

Any users or systems relying on the affected version of Mintplex-Labs/anything-llm for authentication and security are at risk. This includes both direct users of the software and potentially any services that depend on it for secure operations.

Technical Report
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.