High

anything-llm

Path Traversal Vulnerability in Document Uploads Manager

A path traversal vulnerability in the document uploads manager feature of the latest version of the software allows users with 'manager' roles to access and delete the 'anythingllm.db' database file. This issue was patched in version 1.2.2.

Available publicly on Jul 31 2024

7.2

CVE:

CVE-2024-10513

CWE:

23:Relative Path Traversal

CVSS:

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Credit:

noizybit
AssessDetect

Premium

Remediate
Remediation Steps
  1. Update to version 1.2.2 or later.
  2. Implement strict validation to ensure that file movements are restricted to the 'documents' directory.
  3. Regularly audit and test endpoints for path traversal vulnerabilities.
  4. Ensure that sensitive files like 'anythingllm.db' are stored in directories that are not accessible via the web server.
Patch Details
  • Fixed Version: 1.2.2
  • Patch Commit: https://github.com/mintplex-labs/anything-llm/commit/47a5c7126c20e2277ee56e2c7ee11990886a40a7
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.