Plattform
nodejs
Komponente
anything-llm
Behoben in
1.0.1
CVE-2024-0439 describes an authorization bypass vulnerability in Anything LLM. This allows unauthorized modification of settings, circumventing intended permission controls. The vulnerability impacts versions of Anything LLM up to and including 1.0.0. A fix is available in version 1.0.0.
This vulnerability allows unauthorized modification of settings within the Anything LLM platform. An attacker with sufficient knowledge could leverage this to alter system configurations, potentially impacting the LLM's behavior, data processing, or security posture. While the description indicates the settings are not critical, any unauthorized modification poses a risk, especially if it affects access controls or data integrity. The ease of exploitation via standard HTTP requests suggests a relatively low barrier to entry for attackers.
CVE-2024-0439 was publicly disclosed on 2024-02-25. There is no indication of active exploitation or KEV listing at the time of this writing. Public proof-of-concept code is not currently available, but the vulnerability's ease of exploitation suggests it could become a target for opportunistic attackers.
Organizations utilizing Anything LLM in environments where role-based access control is critical are at risk. This includes deployments where sensitive data is processed or where the LLM's configuration directly impacts critical business operations. Users relying on the integrity of the LLM's settings are also at risk.
disclosure
Exploit-Status
EPSS
0.22% (44% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2024-0439 is to upgrade to version 1.0.0 of Anything LLM, which includes the necessary permission fixes. If upgrading immediately is not feasible, consider implementing stricter HTTP access controls to restrict access to the settings endpoints. Web application firewalls (WAFs) can be configured to block unauthorized requests to these endpoints. Review and audit user roles and permissions to ensure appropriate access levels are enforced. After upgrade, confirm the settings are only accessible to authorized users by attempting to modify them with a non-privileged account.
Actualice a una versión posterior a la 1.0.0 donde se haya corregido la vulnerabilidad. Esto evitará que los usuarios con permisos de 'manager' modifiquen la configuración del sistema directamente a través de peticiones HTTP.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-0439 is a vulnerability in Anything LLM that allows unauthorized modification of settings due to a bypass in the authorization mechanism.
You are affected if you are using Anything LLM versions 1.0.0 or earlier.
Upgrade to version 1.0.0 of Anything LLM to remediate the vulnerability. Consider implementing stricter HTTP access controls as an interim measure.
There are currently no known public exploits or active campaigns targeting this CVE.
Refer to the official Anything LLM documentation and release notes for details regarding this vulnerability and the fix.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.