OpenCVE

mintplex-labs/anything-llm is affected by an uncontrolled resource consumption vulnerability in its upload file endpoint, leading to a denial of service (DOS) condition. Specifically, the server can be shut down by sending an invalid upload request. An attacker with the ability to upload documents can exploit this vulnerability to cause a DOS condition by manipulating the upload request.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mintplexlabs	Anythingllm

Configuration 1 [-]

cpe:2.3:a:mintplexlabs:anythingllm:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/mintplex-labs/anything-llm/commit/b8d37d9f43af2facab4c51146a46229a58cb53d9
https://huntr.com/bounties/7bb08e7b-fd99-411e-99bc-07f81f474635

History

Fri, 20 Sep 2024 13:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mintplexlabs Mintplexlabs anythingllm
CPEs		cpe:2.3:a:mintplexlabs:anythingllm::::::::
Vendors & Products		Mintplexlabs Mintplexlabs anythingllm
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published: 2024-06-06T18:40:53.604Z

Updated: 2024-08-01T20:05:07.642Z

Reserved: 2024-04-01T19:03:02.962Z

Link: CVE-2024-3153

Vulnrichment

Updated: 2024-08-01T20:05:07.642Z

NVD

Status : Modified

Published: 2024-06-06T19:16:00.600

Modified: 2024-11-21T09:29:00.963

Link: CVE-2024-3153

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-3153", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "PUBLISHED", "assignerShortName": "@huntr_ai", "dateReserved": "2024-04-01T19:03:02.962Z", "datePublished": "2024-06-06T18:40:53.604Z", "dateUpdated": "2024-08-01T20:05:07.642Z"}, "containers": {"cna": {"title": "Uncontrolled Resource Consumption in mintplex-labs/anything-llm", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2024-06-06T18:40:53.604Z"}, "descriptions": [{"lang": "en", "value": "mintplex-labs/anything-llm is affected by an uncontrolled resource consumption vulnerability in its upload file endpoint, leading to a denial of service (DOS) condition. Specifically, the server can be shut down by sending an invalid upload request. An attacker with the ability to upload documents can exploit this vulnerability to cause a DOS condition by manipulating the upload request."}], "affected": [{"vendor": "mintplex-labs", "product": "mintplex-labs/anything-llm", "versions": [{"version": "unspecified", "lessThan": "1.0.0", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/7bb08e7b-fd99-411e-99bc-07f81f474635"}, {"url": "https://github.com/mintplex-labs/anything-llm/commit/b8d37d9f43af2facab4c51146a46229a58cb53d9"}], "metrics": [{"cvssV3_0": {"version": "3.0", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-400 Uncontrolled Resource Consumption", "cweId": "CWE-400"}]}], "source": {"advisory": "7bb08e7b-fd99-411e-99bc-07f81f474635", "discovery": "EXTERNAL"}}, "adp": [{"affected": [{"vendor": "mintplexlabs", "product": "anythingllm", "cpes": ["cpe:2.3:a:mintplexlabs:anythingllm:-:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.0.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-07T13:37:24.214926Z", "id": "CVE-2024-3153", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-20T13:58:10.102Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:05:07.642Z"}, "title": "CVE Program Container", "references": [{"url": "https://huntr.com/bounties/7bb08e7b-fd99-411e-99bc-07f81f474635", "tags": ["x_transferred"]}, {"url": "https://github.com/mintplex-labs/anything-llm/commit/b8d37d9f43af2facab4c51146a46229a58cb53d9", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://huntr.com/bounties/7bb08e7b-fd99-411e-99bc-07f81f474635", "tags": ["x_transferred"]}, {"url": "https://github.com/mintplex-labs/anything-llm/commit/b8d37d9f43af2facab4c51146a46229a58cb53d9", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:05:07.642Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-3153", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-07T13:37:24.214926Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:mintplexlabs:anythingllm:-:*:*:*:*:*:*:*"], "vendor": "mintplexlabs", "product": "anythingllm", "versions": [{"status": "affected", "version": "0", "lessThan": "1.0.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-07T13:38:45.571Z"}}], "cna": {"title": "Uncontrolled Resource Consumption in mintplex-labs/anything-llm", "source": {"advisory": "7bb08e7b-fd99-411e-99bc-07f81f474635", "discovery": "EXTERNAL"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "mintplex-labs", "product": "mintplex-labs/anything-llm", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "1.0.0", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/7bb08e7b-fd99-411e-99bc-07f81f474635"}, {"url": "https://github.com/mintplex-labs/anything-llm/commit/b8d37d9f43af2facab4c51146a46229a58cb53d9"}], "descriptions": [{"lang": "en", "value": "mintplex-labs/anything-llm is affected by an uncontrolled resource consumption vulnerability in its upload file endpoint, leading to a denial of service (DOS) condition. Specifically, the server can be shut down by sending an invalid upload request. An attacker with the ability to upload documents can exploit this vulnerability to cause a DOS condition by manipulating the upload request."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2024-06-06T18:40:53.604Z"}}}, "cveMetadata": {"cveId": "CVE-2024-3153", "state": "PUBLISHED", "dateUpdated": "2024-08-01T20:05:07.642Z", "dateReserved": "2024-04-01T19:03:02.962Z", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "datePublished": "2024-06-06T18:40:53.604Z", "assignerShortName": "@huntr_ai"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mintplexlabs:anythingllm:*:*:*:*:*:*:*:*", "matchCriteriaId": "0D667E32-5A5C-479C-BB81-47F3BCA38C13", "versionEndExcluding": "1.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "mintplex-labs/anything-llm is affected by an uncontrolled resource consumption vulnerability in its upload file endpoint, leading to a denial of service (DOS) condition. Specifically, the server can be shut down by sending an invalid upload request. An attacker with the ability to upload documents can exploit this vulnerability to cause a DOS condition by manipulating the upload request."}, {"lang": "es", "value": "mintplex-labs/anything-llm se ve afectado por una vulnerabilidad de consumo de recursos incontrolado en su endpoint de carga de archivos, lo que genera una condici\u00f3n de denegaci\u00f3n de servicio (DOS). Espec\u00edficamente, el servidor se puede cerrar enviando una solicitud de carga no v\u00e1lida. Un atacante con la capacidad de cargar documentos puede aprovechar esta vulnerabilidad para provocar una condici\u00f3n de DOS manipulando la solicitud de carga."}], "id": "CVE-2024-3153", "lastModified": "2024-11-21T09:29:00.963", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@huntr.dev", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-06-06T19:16:00.600", "references": [{"source": "security@huntr.dev", "tags": ["Patch"], "url": "https://github.com/mintplex-labs/anything-llm/commit/b8d37d9f43af2facab4c51146a46229a58cb53d9"}, {"source": "security@huntr.dev", "tags": ["Exploit", "Third Party Advisory"], "url": "https://huntr.com/bounties/7bb08e7b-fd99-411e-99bc-07f81f474635"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/mintplex-labs/anything-llm/commit/b8d37d9f43af2facab4c51146a46229a58cb53d9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://huntr.com/bounties/7bb08e7b-fd99-411e-99bc-07f81f474635"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security@huntr.dev", "type": "Secondary"}]}