OpenCVE

mintplex-labs/anything-llm is vulnerable to improper input validation, allowing attackers to read and delete arbitrary files on the server. By manipulating the 'logo_filename' parameter in the 'system-preferences' API endpoint, an attacker can construct requests to read sensitive files or the application's '.env' file, and even delete files by setting the 'logo_filename' to the path of the target file and invoking the 'remove-logo' API endpoint. This vulnerability is due to the lack of proper sanitization of user-supplied input.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://github.com/mintplex-labs/anything-llm/commit/7de23dbb2da932fbfb39f56d981784d3702cf5ce
https://huntr.com/bounties/41016b86-eabb-4161-ac81-40a1ca8e82ac

History

No history.

MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published: 2024-04-16T00:00:14.083Z

Updated: 2024-09-06T17:55:53.545Z

Reserved: 2024-03-27T19:07:34.622Z

Link: CVE-2024-3028

Vulnrichment

Updated: 2024-08-01T19:32:42.699Z

NVD

Status : Awaiting Analysis

Published: 2024-04-16T00:15:11.667

Modified: 2024-11-21T09:28:43.047

Link: CVE-2024-3028

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-3028", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "PUBLISHED", "assignerShortName": "@huntr_ai", "dateReserved": "2024-03-27T19:07:34.622Z", "datePublished": "2024-04-16T00:00:14.083Z", "dateUpdated": "2024-09-06T17:55:53.545Z"}, "containers": {"cna": {"title": "Improper Input Validation in mintplex-labs/anything-llm", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2024-04-16T11:10:37.293Z"}, "descriptions": [{"lang": "en", "value": "mintplex-labs/anything-llm is vulnerable to improper input validation, allowing attackers to read and delete arbitrary files on the server. By manipulating the 'logo_filename' parameter in the 'system-preferences' API endpoint, an attacker can construct requests to read sensitive files or the application's '.env' file, and even delete files by setting the 'logo_filename' to the path of the target file and invoking the 'remove-logo' API endpoint. This vulnerability is due to the lack of proper sanitization of user-supplied input."}], "affected": [{"vendor": "mintplex-labs", "product": "mintplex-labs/anything-llm", "versions": [{"version": "unspecified", "lessThan": "1.0.0", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/41016b86-eabb-4161-ac81-40a1ca8e82ac"}, {"url": "https://github.com/mintplex-labs/anything-llm/commit/7de23dbb2da932fbfb39f56d981784d3702cf5ce"}], "metrics": [{"cvssV3_0": {"version": "3.0", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-20 Improper Input Validation", "cweId": "CWE-20"}]}], "source": {"advisory": "41016b86-eabb-4161-ac81-40a1ca8e82ac", "discovery": "EXTERNAL"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:32:42.699Z"}, "title": "CVE Program Container", "references": [{"url": "https://huntr.com/bounties/41016b86-eabb-4161-ac81-40a1ca8e82ac", "tags": ["x_transferred"]}, {"url": "https://github.com/mintplex-labs/anything-llm/commit/7de23dbb2da932fbfb39f56d981784d3702cf5ce", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "mintplexlabs", "product": "anythingllm", "cpes": ["cpe:2.3:a:mintplexlabs:anythingllm:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-07T19:15:04.156412Z", "id": "CVE-2024-3028", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-06T17:55:53.545Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://huntr.com/bounties/41016b86-eabb-4161-ac81-40a1ca8e82ac", "tags": ["x_transferred"]}, {"url": "https://github.com/mintplex-labs/anything-llm/commit/7de23dbb2da932fbfb39f56d981784d3702cf5ce", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:32:42.699Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-3028", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-07T19:15:04.156412Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:mintplexlabs:anythingllm:*:*:*:*:*:*:*:*"], "vendor": "mintplexlabs", "product": "anythingllm", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.0.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-30T15:03:10.517Z"}}], "cna": {"title": "Improper Input Validation in mintplex-labs/anything-llm", "source": {"advisory": "41016b86-eabb-4161-ac81-40a1ca8e82ac", "discovery": "EXTERNAL"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "mintplex-labs", "product": "mintplex-labs/anything-llm", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "1.0.0", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/41016b86-eabb-4161-ac81-40a1ca8e82ac"}, {"url": "https://github.com/mintplex-labs/anything-llm/commit/7de23dbb2da932fbfb39f56d981784d3702cf5ce"}], "descriptions": [{"lang": "en", "value": "mintplex-labs/anything-llm is vulnerable to improper input validation, allowing attackers to read and delete arbitrary files on the server. By manipulating the 'logo_filename' parameter in the 'system-preferences' API endpoint, an attacker can construct requests to read sensitive files or the application's '.env' file, and even delete files by setting the 'logo_filename' to the path of the target file and invoking the 'remove-logo' API endpoint. This vulnerability is due to the lack of proper sanitization of user-supplied input."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2024-04-16T11:10:37.293Z"}}}, "cveMetadata": {"cveId": "CVE-2024-3028", "state": "PUBLISHED", "dateUpdated": "2024-09-06T17:55:53.545Z", "dateReserved": "2024-03-27T19:07:34.622Z", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "datePublished": "2024-04-16T00:00:14.083Z", "assignerShortName": "@huntr_ai"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "mintplex-labs/anything-llm is vulnerable to improper input validation, allowing attackers to read and delete arbitrary files on the server. By manipulating the 'logo_filename' parameter in the 'system-preferences' API endpoint, an attacker can construct requests to read sensitive files or the application's '.env' file, and even delete files by setting the 'logo_filename' to the path of the target file and invoking the 'remove-logo' API endpoint. This vulnerability is due to the lack of proper sanitization of user-supplied input."}, {"lang": "es", "value": "mintplex-labs/anything-llm es vulnerable a una validaci\u00f3n de entrada incorrecta, lo que permite a los atacantes leer y eliminar archivos arbitrarios en el servidor. Al manipular el par\u00e1metro 'logo_filename' en el endpoint API 'system-preferences', un atacante puede crear solicitudes para leer archivos confidenciales o el archivo '.env' de la aplicaci\u00f3n, e incluso eliminar archivos configurando 'logo_filename' en la ruta del archivo de destino e invocando el endpoint API 'remove-logo'. Esta vulnerabilidad se debe a la falta de una sanitizaci\u00f3n adecuada de los datos proporcionados por el usuario."}], "id": "CVE-2024-3028", "lastModified": "2024-11-21T09:28:43.047", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security@huntr.dev", "type": "Secondary"}]}, "published": "2024-04-16T00:15:11.667", "references": [{"source": "security@huntr.dev", "url": "https://github.com/mintplex-labs/anything-llm/commit/7de23dbb2da932fbfb39f56d981784d3702cf5ce"}, {"source": "security@huntr.dev", "url": "https://huntr.com/bounties/41016b86-eabb-4161-ac81-40a1ca8e82ac"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/mintplex-labs/anything-llm/commit/7de23dbb2da932fbfb39f56d981784d3702cf5ce"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://huntr.com/bounties/41016b86-eabb-4161-ac81-40a1ca8e82ac"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security@huntr.dev", "type": "Secondary"}]}