Denial of Service via User ID Manipulation
A vulnerability in mintplex-labs/anything-llm allows attackers to render a user account inaccessible by setting its user ID to 0. This issue affects the current version of the software, with the latest commit id `57984fa85c31988b2eff429adfc654c46e0c342a`. The vulnerability was patched in version 1.0.0.
Available publicly on May 19 2024 | Available with Premium on Apr 26 2024
Threat Overview
The vulnerability arises from the lack of input validation when modifying user attributes, specifically the user ID. An attacker with manager or admin privileges can exploit this by setting a user's ID to 0, which the system then fails to recognize as a valid ID. This results in the account being inaccessible, as subsequent login attempts generate a valid token that is not accepted by any other API endpoints due to the system's token validation logic incorrectly handling an ID of 0.
Attack Scenario
An attacker with administrative or managerial access logs into the application and sends a modified request to change a target user's ID to 0. When the victim user attempts to log in, they receive a valid token but are unable to use it for further actions within the application, effectively denying them access to their account.
Who is affected
This vulnerability affects any user account whose ID can be manipulated by an attacker with administrative or managerial privileges. The denial of service impacts the account's accessibility, preventing the legitimate user from accessing their account.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.