Critical Severity

anything-llm

Path Traversal Leading to Arbitrary File Operations and DoS

A path traversal vulnerability in mintplex-labs/anything-llm allows a manager to perform arbitrary file read, delete, overwrite operations, and execute a DoS attack, including admin account takeover. This issue affects the latest version of the software and was patched in version 1.0.0.

Available publicly on Jun 12 2024

9.1

CVE:

CVE-2024-5211

CWE:

29:Path Traversal: '\..\filename'

CVSS:

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Credit:

noizybit
AssessDetect

Unavailable

Remediate
Remediation Steps
  • Ensure the normalizePath() function correctly handles all types of path traversal payloads.
  • Implement strict path validation checks before performing any file operations.
  • Limit file operations to a secure, predefined set of directories.
  • Regularly update the application to the latest version to incorporate security patches.
  • Conduct thorough security reviews and testing to identify and mitigate similar vulnerabilities.
Patch Details
  • Fixed Version: 1.0.0
  • Patch Commit: https://github.com/mintplex-labs/anything-llm/commit/e208074ef4c240fe03e4147ab097ec3b52b97619
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.

Sightline logo
About Protect AIPrivacy PolicyTerms of Service
© 2024 Protect AI, Inc.
Slack iconLinkedIn iconYoutube iconX icon