cve-2024-0455
Vulnerability from cvelistv5
Published
2024-02-25 08:10
Modified
2024-08-12 13:40
Severity ?
9.9 (Critical) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Summary
SSRF on AWS deployed instances of AnythingLLM via /metadata
References
security@huntr.devhttps://github.com/mintplex-labs/anything-llm/commit/b2b2c2afe15c48952d57b4d01e7108f9515c5f55
security@huntr.devhttps://huntr.com/bounties/07d83b49-7ebb-40d2-83fc-78381e3c5c9c
Impacted products
mintplex-labsmintplex-labs/anything-llm
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T18:04:49.766Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://huntr.com/bounties/07d83b49-7ebb-40d2-83fc-78381e3c5c9c"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/mintplex-labs/anything-llm/commit/b2b2c2afe15c48952d57b4d01e7108f9515c5f55"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:mintplex-labs:mintplex-labs\\/anything-llm:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mintplex-labs\\/anything-llm",
            "vendor": "mintplex-labs",
            "versions": [
              {
                "lessThan": "1.0.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-0455",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-02-26T17:43:56.632050Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-12T13:40:34.185Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "mintplex-labs/anything-llm",
          "vendor": "mintplex-labs",
          "versions": [
            {
              "lessThan": "1.0.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The inclusion of the web scraper for AnythingLLM means that any user with the proper authorization level (manager, admin, and when in single user) could put in the URL\n```\nhttp://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance\n```\nwhich is a special IP and URL that resolves only when the request comes from within an EC2 instance. This would allow the user to see the connection/secret credentials for their specific instance and be able to manage it regardless of who deployed it.\n\nThe user would have to have pre-existing knowledge of the hosting infra which the target instance is deployed on, but if sent - would resolve if on EC2 and the proper `iptable` or firewall rule is not configured for their setup."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.9,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918 Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-02-25T08:11:20.487Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntr_ai"
      },
      "references": [
        {
          "url": "https://huntr.com/bounties/07d83b49-7ebb-40d2-83fc-78381e3c5c9c"
        },
        {
          "url": "https://github.com/mintplex-labs/anything-llm/commit/b2b2c2afe15c48952d57b4d01e7108f9515c5f55"
        }
      ],
      "source": {
        "advisory": "07d83b49-7ebb-40d2-83fc-78381e3c5c9c",
        "discovery": "EXTERNAL"
      },
      "title": "SSRF on AWS deployed instances of AnythingLLM via /metadata"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntr_ai",
    "cveId": "CVE-2024-0455",
    "datePublished": "2024-02-25T08:10:17.100Z",
    "dateReserved": "2024-01-12T02:27:05.374Z",
    "dateUpdated": "2024-08-12T13:40:34.185Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-0455\",\"sourceIdentifier\":\"security@huntr.dev\",\"published\":\"2024-02-26T16:27:50.937\",\"lastModified\":\"2024-02-26T16:32:25.577\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"The inclusion of the web scraper for AnythingLLM means that any user with the proper authorization level (manager, admin, and when in single user) could put in the URL\\n```\\nhttp://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance\\n```\\nwhich is a special IP and URL that resolves only when the request comes from within an EC2 instance. This would allow the user to see the connection/secret credentials for their specific instance and be able to manage it regardless of who deployed it.\\n\\nThe user would have to have pre-existing knowledge of the hosting infra which the target instance is deployed on, but if sent - would resolve if on EC2 and the proper `iptable` or firewall rule is not configured for their setup.\"},{\"lang\":\"es\",\"value\":\"La inclusi\u00f3n del web scraper para AnythingLLM significa que cualquier usuario con el nivel de autorizaci\u00f3n adecuado (administrador, administrador y cuando sea usuario \u00fanico) podr\u00eda ingresar la URL ``` http://169.254.169.254/latest/meta-data/ Identity-credentials/ec2/security-credentials/ec2-instance ``` que es una IP y URL especiales que se resuelven solo cuando la solicitud proviene de una instancia EC2. Esto permitir\u00eda al usuario ver la conexi\u00f3n/credenciales secretas para su instancia espec\u00edfica y poder administrarla independientemente de qui\u00e9n la haya implementado. El usuario deber\u00eda tener conocimientos preexistentes de la infraestructura de alojamiento en la que se implementa la instancia de destino, pero si se env\u00eda, se resolver\u00e1 si est\u00e1 en EC2 y no est\u00e1 configurada la regla de firewall o \\\"iptable\\\" adecuada para su configuraci\u00f3n.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"security@huntr.dev\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":9.9,\"baseSeverity\":\"CRITICAL\"},\"exploitabilityScore\":3.1,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security@huntr.dev\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"references\":[{\"url\":\"https://github.com/mintplex-labs/anything-llm/commit/b2b2c2afe15c48952d57b4d01e7108f9515c5f55\",\"source\":\"security@huntr.dev\"},{\"url\":\"https://huntr.com/bounties/07d83b49-7ebb-40d2-83fc-78381e3c5c9c\",\"source\":\"security@huntr.dev\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.