Medium Severity

anything-llm

Denial of Service via User ID Manipulation

A vulnerability in mintplex-labs/anything-llm allows attackers to render a user account inaccessible by setting its user ID to 0. This issue affects the current version of the software, with the latest commit id `57984fa85c31988b2eff429adfc654c46e0c342a`. The vulnerability was patched in version 1.0.0.

Available publicly on May 19 2024

4.9

CVE:

CVE-2024-4284

CWE:

400:Uncontrolled Resource Consumption

CVSS:

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Credit:

lager1
AssessDetect

Premium

Remediate
Remediation Steps
  • Ensure input validation for all user attributes, especially those that can impact account accessibility.
  • Implement checks to prevent the assignment of invalid user IDs.
  • Review and update the token validation logic to correctly handle all valid user IDs.
  • Regularly audit and update access control policies to minimize the risk of unauthorized modifications.
Patch Details
  • Fixed Version: 1.0.0
  • Patch Commit: https://github.com/mintplex-labs/anything-llm/commit/1b35bcbeab10b77e6dbd263cceecf1b965a40789
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.

Sightline logo
About Protect AIPrivacy PolicyTerms of Service
© 2024 Protect AI, Inc.
Slack iconLinkedIn iconYoutube iconX icon