CVE-2024-0455 (GCVE-0-2024-0455)

Vulnerability from cvelistv5 – Published: 2024-02-25 08:10 – Updated: 2024-08-12 13:40
VLAI?
Title
SSRF on AWS deployed instances of AnythingLLM via /metadata
Summary
The inclusion of the web scraper for AnythingLLM means that any user with the proper authorization level (manager, admin, and when in single user) could put in the URL ``` http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance ``` which is a special IP and URL that resolves only when the request comes from within an EC2 instance. This would allow the user to see the connection/secret credentials for their specific instance and be able to manage it regardless of who deployed it. The user would have to have pre-existing knowledge of the hosting infra which the target instance is deployed on, but if sent - would resolve if on EC2 and the proper `iptable` or firewall rule is not configured for their setup.
Severity ?
9.9 (Critical)
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE
  • CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
Vendor Product Version
mintplex-labs mintplex-labs/anything-llm Affected: unspecified , < 1.0.0 (custom)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T18:04:49.766Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://huntr.com/bounties/07d83b49-7ebb-40d2-83fc-78381e3c5c9c"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/mintplex-labs/anything-llm/commit/b2b2c2afe15c48952d57b4d01e7108f9515c5f55"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:mintplex-labs:mintplex-labs\\/anything-llm:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mintplex-labs\\/anything-llm",
            "vendor": "mintplex-labs",
            "versions": [
              {
                "lessThan": "1.0.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-0455",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-02-26T17:43:56.632050Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-12T13:40:34.185Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "mintplex-labs/anything-llm",
          "vendor": "mintplex-labs",
          "versions": [
            {
              "lessThan": "1.0.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The inclusion of the web scraper for AnythingLLM means that any user with the proper authorization level (manager, admin, and when in single user) could put in the URL\n```\nhttp://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance\n```\nwhich is a special IP and URL that resolves only when the request comes from within an EC2 instance. This would allow the user to see the connection/secret credentials for their specific instance and be able to manage it regardless of who deployed it.\n\nThe user would have to have pre-existing knowledge of the hosting infra which the target instance is deployed on, but if sent - would resolve if on EC2 and the proper `iptable` or firewall rule is not configured for their setup."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.9,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918 Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-02-25T08:11:20.487Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntr_ai"
      },
      "references": [
        {
          "url": "https://huntr.com/bounties/07d83b49-7ebb-40d2-83fc-78381e3c5c9c"
        },
        {
          "url": "https://github.com/mintplex-labs/anything-llm/commit/b2b2c2afe15c48952d57b4d01e7108f9515c5f55"
        }
      ],
      "source": {
        "advisory": "07d83b49-7ebb-40d2-83fc-78381e3c5c9c",
        "discovery": "EXTERNAL"
      },
      "title": "SSRF on AWS deployed instances of AnythingLLM via /metadata"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntr_ai",
    "cveId": "CVE-2024-0455",
    "datePublished": "2024-02-25T08:10:17.100Z",
    "dateReserved": "2024-01-12T02:27:05.374Z",
    "dateUpdated": "2024-08-12T13:40:34.185Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-0455",
      "date": "2026-04-25",
      "epss": "0.00191",
      "percentile": "0.40864"
    },
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The inclusion of the web scraper for AnythingLLM means that any user with the proper authorization level (manager, admin, and when in single user) could put in the URL\\n```\\nhttp://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance\\n```\\nwhich is a special IP and URL that resolves only when the request comes from within an EC2 instance. This would allow the user to see the connection/secret credentials for their specific instance and be able to manage it regardless of who deployed it.\\n\\nThe user would have to have pre-existing knowledge of the hosting infra which the target instance is deployed on, but if sent - would resolve if on EC2 and the proper `iptable` or firewall rule is not configured for their setup.\"}, {\"lang\": \"es\", \"value\": \"La inclusi\\u00f3n del web scraper para AnythingLLM significa que cualquier usuario con el nivel de autorizaci\\u00f3n adecuado (administrador, administrador y cuando sea usuario \\u00fanico) podr\\u00eda ingresar la URL ``` http://169.254.169.254/latest/meta-data/ Identity-credentials/ec2/security-credentials/ec2-instance ``` que es una IP y URL especiales que se resuelven solo cuando la solicitud proviene de una instancia EC2. Esto permitir\\u00eda al usuario ver la conexi\\u00f3n/credenciales secretas para su instancia espec\\u00edfica y poder administrarla independientemente de qui\\u00e9n la haya implementado. El usuario deber\\u00eda tener conocimientos preexistentes de la infraestructura de alojamiento en la que se implementa la instancia de destino, pero si se env\\u00eda, se resolver\\u00e1 si est\\u00e1 en EC2 y no est\\u00e1 configurada la regla de firewall o \\\"iptable\\\" adecuada para su configuraci\\u00f3n.\"}]",
      "id": "CVE-2024-0455",
      "lastModified": "2024-11-21T08:46:37.683",
      "metrics": "{\"cvssMetricV30\": [{\"source\": \"security@huntr.dev\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\", \"baseScore\": 9.9, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.1, \"impactScore\": 6.0}]}",
      "published": "2024-02-26T16:27:50.937",
      "references": "[{\"url\": \"https://github.com/mintplex-labs/anything-llm/commit/b2b2c2afe15c48952d57b4d01e7108f9515c5f55\", \"source\": \"security@huntr.dev\"}, {\"url\": \"https://huntr.com/bounties/07d83b49-7ebb-40d2-83fc-78381e3c5c9c\", \"source\": \"security@huntr.dev\"}, {\"url\": \"https://github.com/mintplex-labs/anything-llm/commit/b2b2c2afe15c48952d57b4d01e7108f9515c5f55\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://huntr.com/bounties/07d83b49-7ebb-40d2-83fc-78381e3c5c9c\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "security@huntr.dev",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"security@huntr.dev\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-918\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-0455\",\"sourceIdentifier\":\"security@huntr.dev\",\"published\":\"2024-02-26T16:27:50.937\",\"lastModified\":\"2025-02-27T03:11:09.917\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The inclusion of the web scraper for AnythingLLM means that any user with the proper authorization level (manager, admin, and when in single user) could put in the URL\\n```\\nhttp://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance\\n```\\nwhich is a special IP and URL that resolves only when the request comes from within an EC2 instance. This would allow the user to see the connection/secret credentials for their specific instance and be able to manage it regardless of who deployed it.\\n\\nThe user would have to have pre-existing knowledge of the hosting infra which the target instance is deployed on, but if sent - would resolve if on EC2 and the proper `iptable` or firewall rule is not configured for their setup.\"},{\"lang\":\"es\",\"value\":\"La inclusi\u00f3n del web scraper para AnythingLLM significa que cualquier usuario con el nivel de autorizaci\u00f3n adecuado (administrador, administrador y cuando sea usuario \u00fanico) podr\u00eda ingresar la URL ``` http://169.254.169.254/latest/meta-data/ Identity-credentials/ec2/security-credentials/ec2-instance ``` que es una IP y URL especiales que se resuelven solo cuando la solicitud proviene de una instancia EC2. Esto permitir\u00eda al usuario ver la conexi\u00f3n/credenciales secretas para su instancia espec\u00edfica y poder administrarla independientemente de qui\u00e9n la haya implementado. El usuario deber\u00eda tener conocimientos preexistentes de la infraestructura de alojamiento en la que se implementa la instancia de destino, pero si se env\u00eda, se resolver\u00e1 si est\u00e1 en EC2 y no est\u00e1 configurada la regla de firewall o \\\"iptable\\\" adecuada para su configuraci\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV30\":[{\"source\":\"security@huntr.dev\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.9,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.1,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security@huntr.dev\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mintplexlabs:anythingllm:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"64E68D44-CB47-4530-9D0C-C006AB67B185\"}]}]}],\"references\":[{\"url\":\"https://github.com/mintplex-labs/anything-llm/commit/b2b2c2afe15c48952d57b4d01e7108f9515c5f55\",\"source\":\"security@huntr.dev\",\"tags\":[\"Patch\"]},{\"url\":\"https://huntr.com/bounties/07d83b49-7ebb-40d2-83fc-78381e3c5c9c\",\"source\":\"security@huntr.dev\",\"tags\":[\"Exploit\"]},{\"url\":\"https://github.com/mintplex-labs/anything-llm/commit/b2b2c2afe15c48952d57b4d01e7108f9515c5f55\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://huntr.com/bounties/07d83b49-7ebb-40d2-83fc-78381e3c5c9c\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://huntr.com/bounties/07d83b49-7ebb-40d2-83fc-78381e3c5c9c\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/mintplex-labs/anything-llm/commit/b2b2c2afe15c48952d57b4d01e7108f9515c5f55\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T18:04:49.766Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-0455\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-02-26T17:43:56.632050Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:mintplex-labs:mintplex-labs\\\\/anything-llm:*:*:*:*:*:*:*:*\"], \"vendor\": \"mintplex-labs\", \"product\": \"mintplex-labs\\\\/anything-llm\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.0.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-12T13:40:18.674Z\"}}], \"cna\": {\"title\": \"SSRF on AWS deployed instances of AnythingLLM via /metadata\", \"source\": {\"advisory\": \"07d83b49-7ebb-40d2-83fc-78381e3c5c9c\", \"discovery\": \"EXTERNAL\"}, \"metrics\": [{\"cvssV3_0\": {\"scope\": \"CHANGED\", \"version\": \"3.0\", \"baseScore\": 9.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"mintplex-labs\", \"product\": \"mintplex-labs/anything-llm\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"1.0.0\", \"versionType\": \"custom\"}]}], \"references\": [{\"url\": \"https://huntr.com/bounties/07d83b49-7ebb-40d2-83fc-78381e3c5c9c\"}, {\"url\": \"https://github.com/mintplex-labs/anything-llm/commit/b2b2c2afe15c48952d57b4d01e7108f9515c5f55\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The inclusion of the web scraper for AnythingLLM means that any user with the proper authorization level (manager, admin, and when in single user) could put in the URL\\n```\\nhttp://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance\\n```\\nwhich is a special IP and URL that resolves only when the request comes from within an EC2 instance. This would allow the user to see the connection/secret credentials for their specific instance and be able to manage it regardless of who deployed it.\\n\\nThe user would have to have pre-existing knowledge of the hosting infra which the target instance is deployed on, but if sent - would resolve if on EC2 and the proper `iptable` or firewall rule is not configured for their setup.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"CWE-918 Server-Side Request Forgery (SSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"c09c270a-b464-47c1-9133-acb35b22c19a\", \"shortName\": \"@huntr_ai\", \"dateUpdated\": \"2024-02-25T08:11:20.487Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-0455\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-12T13:40:34.185Z\", \"dateReserved\": \"2024-01-12T02:27:05.374Z\", \"assignerOrgId\": \"c09c270a-b464-47c1-9133-acb35b22c19a\", \"datePublished\": \"2024-02-25T08:10:17.100Z\", \"assignerShortName\": \"@huntr_ai\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.