High

anything-llm

Path Traversal Leading to Arbitrary File Operations and Privilege Escalation

A path traversal vulnerability in version git 296f041 of the software allows attackers to perform arbitrary file read/write operations in the storage directory, leading to potential privilege escalation from manager to admin. This issue was patched in version 1.2.2.

Available publicly on Oct 27 2024

7.2

CVSS:

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Credit:

oicu0619
Threat Overview

The vulnerability arises from a flawed implementation of the normalizePath function, which fails to correctly filter malicious file path inputs. This allows an attacker to traverse directories and perform arbitrary file operations within the storage directory. By exploiting this flaw, an attacker with manager privileges can read and modify the database file to escalate their privileges to admin. The vulnerability can also lead to denial of service (DoS) through arbitrary file deletion.

Attack Scenario

An attacker with manager privileges uploads a profile picture and then uses the path traversal vulnerability to move the database file to a location where it can be downloaded. The attacker modifies the database file to escalate their privileges to admin and uploads it back to the server. Finally, the attacker moves the modified database file back to its original location, effectively gaining admin privileges after a server restart.

Who is affected

Users running the affected version (git 296f041) of the software, particularly those in multi-user environments where users have different privilege levels, are at risk. Administrators and managers are specifically targeted in this attack scenario.

Technical Report
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.