cve-2024-5208
Vulnerability from cvelistv5
Published
2024-06-19 06:13
Modified
2024-08-01 21:03
Severity ?
6.5 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
Uncontrolled Resource Consumption in mintplex-labs/anything-llm
References
security@huntr.devhttps://github.com/mintplex-labs/anything-llm/commit/e2439c6d4c3cfdacd96cd1b7b92d1f89c3cc8459
security@huntr.devhttps://huntr.com/bounties/6c8bdfa1-ec56-4b02-bde9-cfc27470e6ca
af854a3a-2127-422b-91ae-364da2661108https://github.com/mintplex-labs/anything-llm/commit/e2439c6d4c3cfdacd96cd1b7b92d1f89c3cc8459
af854a3a-2127-422b-91ae-364da2661108https://huntr.com/bounties/6c8bdfa1-ec56-4b02-bde9-cfc27470e6ca
Impacted products
mintplex-labsmintplex-labs/anything-llm
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:mintplexlabs:anythingllm:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "anythingllm",
            "vendor": "mintplexlabs",
            "versions": [
              {
                "lessThan": "1.0.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-5208",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-20T13:55:02.424393Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-20T13:58:35.705Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T21:03:11.057Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://huntr.com/bounties/6c8bdfa1-ec56-4b02-bde9-cfc27470e6ca"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/mintplex-labs/anything-llm/commit/e2439c6d4c3cfdacd96cd1b7b92d1f89c3cc8459"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "mintplex-labs/anything-llm",
          "vendor": "mintplex-labs",
          "versions": [
            {
              "lessThan": "1.0.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An uncontrolled resource consumption vulnerability exists in the `upload-link` endpoint of mintplex-labs/anything-llm. This vulnerability allows attackers to cause a denial of service (DOS) by shutting down the server through sending invalid upload requests. Specifically, the server can be made to shut down by sending an empty body with a \u0027Content-Length: 0\u0027 header or by sending a body with arbitrary content, such as \u0027asdasdasd\u0027, with a \u0027Content-Length: 9\u0027 header. The vulnerability is reproducible by users with at least a \u0027Manager\u0027 role, sending a crafted request to any workspace. This issue indicates that a previous fix was not effective in mitigating the vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400 Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-06-19T06:13:21.660Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntr_ai"
      },
      "references": [
        {
          "url": "https://huntr.com/bounties/6c8bdfa1-ec56-4b02-bde9-cfc27470e6ca"
        },
        {
          "url": "https://github.com/mintplex-labs/anything-llm/commit/e2439c6d4c3cfdacd96cd1b7b92d1f89c3cc8459"
        }
      ],
      "source": {
        "advisory": "6c8bdfa1-ec56-4b02-bde9-cfc27470e6ca",
        "discovery": "EXTERNAL"
      },
      "title": "Uncontrolled Resource Consumption in mintplex-labs/anything-llm"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntr_ai",
    "cveId": "CVE-2024-5208",
    "datePublished": "2024-06-19T06:13:21.660Z",
    "dateReserved": "2024-05-22T16:33:56.196Z",
    "dateUpdated": "2024-08-01T21:03:11.057Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-5208\",\"sourceIdentifier\":\"security@huntr.dev\",\"published\":\"2024-06-19T06:15:11.420\",\"lastModified\":\"2024-11-21T09:47:11.387\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"An uncontrolled resource consumption vulnerability exists in the `upload-link` endpoint of mintplex-labs/anything-llm. This vulnerability allows attackers to cause a denial of service (DOS) by shutting down the server through sending invalid upload requests. Specifically, the server can be made to shut down by sending an empty body with a \u0027Content-Length: 0\u0027 header or by sending a body with arbitrary content, such as \u0027asdasdasd\u0027, with a \u0027Content-Length: 9\u0027 header. The vulnerability is reproducible by users with at least a \u0027Manager\u0027 role, sending a crafted request to any workspace. This issue indicates that a previous fix was not effective in mitigating the vulnerability.\"},{\"lang\":\"es\",\"value\":\"Existe una vulnerabilidad de consumo de recursos incontrolado en el endpoint `upload-link` de mintplex-labs/anything-llm. Esta vulnerabilidad permite a los atacantes provocar una denegaci\u00f3n de servicio (DOS) apagando el servidor mediante el env\u00edo de solicitudes de carga no v\u00e1lidas. Espec\u00edficamente, se puede hacer que el servidor se apague enviando un cuerpo vac\u00edo con un encabezado \u0027Content-Length: 0\u0027 o enviando un cuerpo con contenido arbitrario, como \u0027asdasdasd\u0027, con un encabezado \u0027Content-Length: 9\u0027. . La vulnerabilidad es reproducible por usuarios con al menos un rol de \\\"Administrador\\\", enviando una solicitud manipulada a cualquier espacio de trabajo. Este problema indica que una soluci\u00f3n anterior no fue eficaz para mitigar la vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"security@huntr.dev\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security@huntr.dev\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]}],\"references\":[{\"url\":\"https://github.com/mintplex-labs/anything-llm/commit/e2439c6d4c3cfdacd96cd1b7b92d1f89c3cc8459\",\"source\":\"security@huntr.dev\"},{\"url\":\"https://huntr.com/bounties/6c8bdfa1-ec56-4b02-bde9-cfc27470e6ca\",\"source\":\"security@huntr.dev\"},{\"url\":\"https://github.com/mintplex-labs/anything-llm/commit/e2439c6d4c3cfdacd96cd1b7b92d1f89c3cc8459\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://huntr.com/bounties/6c8bdfa1-ec56-4b02-bde9-cfc27470e6ca\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.