Sightline

Medium

anything-llm

Denial of Service via User ID Manipulation

A vulnerability in mintplex-labs/anything-llm allows attackers to render a user account inaccessible by setting its user ID to 0. This issue affects the current version of the software, with the latest commit id `57984fa85c31988b2eff429adfc654c46e0c342a`. The vulnerability was patched in version 1.0.0.

Available publicly on May 19 2024 | Available with Premium on Apr 26 2024

CVE:

CVE-2024-4284

CWE:

400:Uncontrolled Resource Consumption

CVSS:

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Credit:

lager1

Assess Detect

Premium

Remediate

Remediation Steps

Ensure input validation for all user attributes, especially those that can impact account accessibility.
Implement checks to prevent the assignment of invalid user IDs.
Review and update the token validation logic to correctly handle all valid user IDs.
Regularly audit and update access control policies to minimize the risk of unauthorized modifications.

Patch Details

Fixed Version: 1.0.0
Patch Commit: https://github.com/mintplex-labs/anything-llm/commit/1b35bcbeab10b77e6dbd263cceecf1b965a40789

Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have 624- related security advisories that are available with Sightline Premium.