FKIE_CVE-2024-5216

Vulnerability from fkie_nvd - Published: 2024-06-25 11:15 - Updated: 2025-07-15 15:38
Severity ?
7.5 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
A vulnerability in mintplex-labs/anything-llm allows for a Denial of Service (DoS) condition due to uncontrolled resource consumption. Specifically, the issue arises from the application's failure to limit the size of usernames, enabling attackers to create users with excessively bulky texts in the username field. This exploit results in the user management panel becoming unresponsive, preventing administrators from performing critical user management actions such as editing, suspending, or deleting users. The impact of this vulnerability includes administrative paralysis, compromised security, and operational disruption, as it allows malicious users to perpetuate their presence within the system indefinitely, undermines the system's security posture, and degrades overall system performance.
References
security@huntr.devhttps://github.com/mintplex-labs/anything-llm/commit/3ef009de73c837f9025df8bba62572885c70c72fPatch
security@huntr.devhttps://huntr.com/bounties/8ec14991-ee35-493d-a8d3-21a1cfd57869Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/mintplex-labs/anything-llm/commit/3ef009de73c837f9025df8bba62572885c70c72fPatch
af854a3a-2127-422b-91ae-364da2661108https://huntr.com/bounties/8ec14991-ee35-493d-a8d3-21a1cfd57869Exploit, Third Party Advisory
Impacted products
Vendor Product Version
mintplexlabs anythingllm *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:mintplexlabs:anythingllm:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0D667E32-5A5C-479C-BB81-47F3BCA38C13",
              "versionEndExcluding": "1.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability in mintplex-labs/anything-llm allows for a Denial of Service (DoS) condition due to uncontrolled resource consumption. Specifically, the issue arises from the application\u0027s failure to limit the size of usernames, enabling attackers to create users with excessively bulky texts in the username field. This exploit results in the user management panel becoming unresponsive, preventing administrators from performing critical user management actions such as editing, suspending, or deleting users. The impact of this vulnerability includes administrative paralysis, compromised security, and operational disruption, as it allows malicious users to perpetuate their presence within the system indefinitely, undermines the system\u0027s security posture, and degrades overall system performance."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad en mintplex-labs/anything-llm permite una condici\u00f3n de Denegaci\u00f3n de Servicio (DoS) debido al consumo incontrolado de recursos. Espec\u00edficamente, el problema surge porque la aplicaci\u00f3n no limita el tama\u00f1o de los nombres de usuario, lo que permite a los atacantes crear usuarios con textos excesivamente voluminosos en el campo de nombre de usuario. Este exploit hace que el panel de administraci\u00f3n de usuarios deje de responder, lo que impide que los administradores realicen acciones cr\u00edticas de administraci\u00f3n de usuarios, como editar, suspender o eliminar usuarios. El impacto de esta vulnerabilidad incluye par\u00e1lisis administrativa, seguridad comprometida e interrupci\u00f3n operativa, ya que permite a los usuarios malintencionados perpetuar su presencia dentro del sistema indefinidamente, socava la postura de seguridad del sistema y degrada el rendimiento general del sistema."
    }
  ],
  "id": "CVE-2024-5216",
  "lastModified": "2025-07-15T15:38:18.290",
  "metrics": {
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security@huntr.dev",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-06-25T11:15:50.193",
  "references": [
    {
      "source": "security@huntr.dev",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/mintplex-labs/anything-llm/commit/3ef009de73c837f9025df8bba62572885c70c72f"
    },
    {
      "source": "security@huntr.dev",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://huntr.com/bounties/8ec14991-ee35-493d-a8d3-21a1cfd57869"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/mintplex-labs/anything-llm/commit/3ef009de73c837f9025df8bba62572885c70c72f"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://huntr.com/bounties/8ec14991-ee35-493d-a8d3-21a1cfd57869"
    }
  ],
  "sourceIdentifier": "security@huntr.dev",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "security@huntr.dev",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.