FKIE_CVE-2024-4284

Vulnerability from fkie_nvd - Published: 2024-05-19 23:15 - Updated: 2025-07-10 16:14
Severity ?
4.9 (Medium) - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Summary
A vulnerability in mintplex-labs/anything-llm allows for a denial of service (DoS) condition through the modification of a user's `id` attribute to a value of 0. This issue affects the current version of the software, with the latest commit id `57984fa85c31988b2eff429adfc654c46e0c342a`. By exploiting this vulnerability, an attacker, with manager or admin privileges, can render a chosen account completely inaccessible. The application's mechanism for suspending accounts does not provide a means to reverse this condition through the UI, leading to uncontrolled resource consumption. The vulnerability is introduced due to the lack of input validation and sanitization in the user modification endpoint and the middleware's token validation logic. This issue has been addressed in version 1.0.0 of the software.
References
security@huntr.devhttps://github.com/mintplex-labs/anything-llm/commit/1b35bcbeab10b77e6dbd263cceecf1b965a40789Patch
security@huntr.devhttps://huntr.com/bounties/a5f45596-0aef-49e0-9f7d-63f1955a1552Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/mintplex-labs/anything-llm/commit/1b35bcbeab10b77e6dbd263cceecf1b965a40789Patch
af854a3a-2127-422b-91ae-364da2661108https://huntr.com/bounties/a5f45596-0aef-49e0-9f7d-63f1955a1552Exploit, Third Party Advisory
Impacted products
Vendor Product Version
mintplexlabs anythingllm *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:mintplexlabs:anythingllm:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0D667E32-5A5C-479C-BB81-47F3BCA38C13",
              "versionEndExcluding": "1.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability in mintplex-labs/anything-llm allows for a denial of service (DoS) condition through the modification of a user\u0027s `id` attribute to a value of 0. This issue affects the current version of the software, with the latest commit id `57984fa85c31988b2eff429adfc654c46e0c342a`. By exploiting this vulnerability, an attacker, with manager or admin privileges, can render a chosen account completely inaccessible. The application\u0027s mechanism for suspending accounts does not provide a means to reverse this condition through the UI, leading to uncontrolled resource consumption. The vulnerability is introduced due to the lack of input validation and sanitization in the user modification endpoint and the middleware\u0027s token validation logic. This issue has been addressed in version 1.0.0 of the software."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad en mintplex-labs/anything-llm permite una condici\u00f3n de denegaci\u00f3n de servicio (DoS) mediante la modificaci\u00f3n del atributo `id` de un usuario a un valor de 0. Este problema afecta la versi\u00f3n actual del software, con la \u00faltima confirmaci\u00f3n identificaci\u00f3n `57984fa85c31988b2eff429adfc654c46e0c342a`. Al explotar esta vulnerabilidad, un atacante, con privilegios de administrador o administrador, puede hacer que la cuenta elegida sea completamente inaccesible. El mecanismo de la aplicaci\u00f3n para suspender cuentas no proporciona un medio para revertir esta condici\u00f3n a trav\u00e9s de la interfaz de usuario, lo que genera un consumo descontrolado de recursos. La vulnerabilidad se introduce debido a la falta de validaci\u00f3n y desinfecci\u00f3n de entradas en el endpoint de modificaci\u00f3n del usuario y la l\u00f3gica de validaci\u00f3n del token del middleware. Este problema se solucion\u00f3 en la versi\u00f3n 1.0.0 del software."
    }
  ],
  "id": "CVE-2024-4284",
  "lastModified": "2025-07-10T16:14:58.460",
  "metrics": {
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 4.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 3.6,
        "source": "security@huntr.dev",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-05-19T23:15:06.960",
  "references": [
    {
      "source": "security@huntr.dev",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/mintplex-labs/anything-llm/commit/1b35bcbeab10b77e6dbd263cceecf1b965a40789"
    },
    {
      "source": "security@huntr.dev",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://huntr.com/bounties/a5f45596-0aef-49e0-9f7d-63f1955a1552"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/mintplex-labs/anything-llm/commit/1b35bcbeab10b77e6dbd263cceecf1b965a40789"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://huntr.com/bounties/a5f45596-0aef-49e0-9f7d-63f1955a1552"
    }
  ],
  "sourceIdentifier": "security@huntr.dev",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "security@huntr.dev",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.