Plattform
nodejs
Komponente
anything-llm
Behoben in
0.7.2
CVE-2024-0455 is a critical Server-Side Request Forgery (SSRF) vulnerability affecting AnythingLLM versions up to 1.0.0. This vulnerability allows authenticated users with elevated privileges (manager or admin) to extract sensitive EC2 instance credentials. Successful exploitation could lead to unauthorized access and management of the underlying infrastructure. A fix is available in version 1.0.0.
The SSRF vulnerability in AnythingLLM allows an attacker with appropriate authorization (manager, admin, or single-user) to retrieve AWS EC2 instance credentials. By injecting a specific URL (http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance), an attacker can obtain temporary security credentials associated with the EC2 instance hosting the application. These credentials can then be used to perform actions within the AWS environment as the EC2 instance, potentially including accessing other AWS resources, modifying configurations, or launching new instances. The blast radius extends to any AWS resources accessible by the compromised EC2 instance, and the impact is particularly severe in environments with sensitive data or critical infrastructure.
CVE-2024-0455 was publicly disclosed on 2024-02-25. The vulnerability's ease of exploitation, combined with the potential for significant impact, suggests a medium probability of exploitation. No public proof-of-concept (PoC) code has been released as of this writing, but the vulnerability is relatively straightforward to exploit given the required authorization level. It is not currently listed on the CISA KEV catalog.
Organizations deploying AnythingLLM within Amazon EC2 environments are particularly at risk. Specifically, environments where manager or admin accounts have been configured with overly permissive access or where security best practices regarding EC2 instance credentials are not strictly enforced are highly vulnerable. Shared hosting environments utilizing AnythingLLM also present a heightened risk.
• nodejs / server:
ps aux | grep 'http://169.254.169.254'• generic web:
curl -I 'http://your-anythingllm-instance/scrape?url=http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance' | grep 'HTTP/1.1 403' # Check for access denieddisclosure
Exploit-Status
EPSS
0.24% (48% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2024-0455 is to upgrade to version 1.0.0 of AnythingLLM, which addresses the SSRF vulnerability. If upgrading immediately is not feasible, consider implementing temporary workarounds. Restrict access to the web scraper functionality to only authorized users and carefully validate all user-supplied input. Implement network-level controls to prevent outbound requests to the EC2 metadata service (169.254.169.254) from the application server. Monitor application logs for suspicious requests targeting the metadata endpoint. After upgrading, confirm the fix by attempting to access the EC2 metadata endpoint through the application; the request should be denied.
Aktualisieren Sie AnythingLLM auf eine Version, die neuer als 1.0.0 ist und die Korrektur für die SSRF-Schwachstelle enthält. Alternativ können Sie Firewall- oder iptables-Regeln konfigurieren, um den Zugriff auf die IP-Adresse 169.254.169.254 von der EC2-Instanz zu blockieren.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-0455 is a critical SSRF vulnerability in AnythingLLM versions up to 1.0.0, allowing attackers to access EC2 instance credentials with manager/admin privileges.
You are affected if you are using AnythingLLM version 1.0.0 or earlier and have users with manager or admin roles.
Upgrade to AnythingLLM version 1.0.0 or later. Implement temporary workarounds like restricting access and input validation if immediate upgrade is not possible.
While no active exploitation campaigns have been publicly confirmed, the vulnerability's ease of exploitation suggests a high probability of exploitation.
Refer to the official AnythingLLM project repository or website for the latest security advisories and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.