High

anything-llm

Path Traversal Leading to Arbitrary File Operations and Privilege Escalation

A path traversal vulnerability in version git 296f041 of the software allows attackers to perform arbitrary file read/write operations in the storage directory, leading to potential privilege escalation from manager to admin. This issue was patched in version 1.2.2.

Available publicly on Oct 27 2024

7.2

CVSS:

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Credit:

oicu0619
Remediation Steps
  • Update to version 1.2.2 or later.
  • Review and improve input validation for file paths to prevent path traversal.
  • Implement additional security measures such as access controls and monitoring to detect and prevent unauthorized file operations.
  • Regularly audit and review code for similar vulnerabilities.
Patch Details
  • Fixed Version: 1.2.2
  • Patch Commit: https://github.com/mintplex-labs/anything-llm/commit/47a5c7126c20e2277ee56e2c7ee11990886a40a7
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.