Critical

anything-llm

Path Traversal Leading to Arbitrary File Operations and DoS

A path traversal vulnerability in mintplex-labs/anything-llm allows a manager to perform arbitrary file read, delete, overwrite operations, and execute a DoS attack, including admin account takeover. This issue affects the latest version of the software and was patched in version 1.0.0.

Available publicly on Jun 12 2024

9.1

CVSS:

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Credit:

noizybit
Threat Overview

The vulnerability stems from an insufficient path sanitization mechanism in the normalizePath() function, which fails to properly handle certain path traversal payloads. This flaw is exploited through the application's feature allowing users to set a custom logo, where the manipulated file path can point to critical files such as the application's database or configuration files. The impact is significant, allowing for information disclosure, unauthorized file manipulation, service disruption, and unauthorized system access.

Attack Scenario

An attacker with manager privileges can exploit this vulnerability by manipulating the logo file path to point to critical system files, enabling them to read, delete, or overwrite these files. For instance, by setting the logo file path to a traversal sequence leading to the application's database, the attacker can download or manipulate the database. Similarly, deleting key configuration files can disrupt the application's functionality, leading to a denial of service.

Who is affected

The vulnerability primarily affects users with manager roles who have the capability to set custom logos within the application. However, the broader impact includes all users and the application's operations, as unauthorized file operations and service disruptions compromise the integrity, availability, and confidentiality of the application and its data.

Technical Report
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.