High

anything-llm

Timing Attack Vulnerability in Authentication Token Verification

A timing attack vulnerability was identified in the authentication token verification process of Mintplex-Labs/anything-llm, affecting the latest version prior to 1.0.0. The issue, patched in version 1.0.0, allowed attackers to potentially guess the authentication token due to insufficient password checking.

Available publicly on Feb 25 2024

7.1

CVSS:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Credit:

ranjit-git
Remediation Steps
  • Update to version 1.0.0 or later to patch the vulnerability.
  • Consider implementing constant-time comparison functions for sensitive comparisons to mitigate timing attacks.
  • Regularly review and update dependencies and third-party libraries to ensure security patches are applied.
  • Employ additional security measures such as rate limiting and monitoring to detect and prevent brute-force attempts.
Patch Details
  • Fixed Version: 1.0.0
  • Patch Commit: https://github.com/mintplex-labs/anything-llm/commit/3c859ba3038121b67fb98e87dc52617fa27cbef0
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.