Plattform
nodejs
Komponente
anything-llm
Behoben in
1.0.1
CVE-2024-0763 describes a path traversal vulnerability discovered in Anything LLM. This flaw allows authenticated attackers to recursively delete arbitrary folders on a remote server, potentially leading to significant data loss and service disruption. The vulnerability impacts versions of Anything LLM up to and including 1.0.0, but a fix is available in version 1.0.0.
The impact of CVE-2024-0763 is significant due to the potential for complete data loss. An attacker who can authenticate to the Anything LLM server, even with limited privileges, can exploit this vulnerability to delete critical files and directories. This could disrupt services, compromise sensitive data, and potentially lead to a denial-of-service condition. The recursive nature of the deletion means that an attacker could rapidly escalate the damage, potentially wiping out entire data stores. While authentication is required, the ease of exploitation once authenticated makes this a high-priority concern.
CVE-2024-0763 was publicly disclosed on 2024-02-27. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The EPSS score is likely to be medium, given the requirement for authentication but the potentially severe impact of successful exploitation. It is not listed on the CISA KEV catalog as of this writing.
Organizations deploying Anything LLM in production environments, particularly those with limited access controls or legacy configurations, are at risk. Shared hosting environments where multiple users share the same server are also particularly vulnerable, as a compromised user account could be leveraged to exploit this vulnerability and impact other users.
• nodejs / server:
find /path/to/anything_llm -name '*deleteFolder*' -type f -print0 | xargs -0 grep -i 'path.join' -E '(\.\./)+'• generic web:
curl -I 'http://your-anything-llm-server/deleteFolder?path=../../../../etc/passwd' # Check for 200 OK or other unexpected responsesdisclosure
Exploit-Status
EPSS
0.91% (76% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-0763 is to upgrade to version 1.0.0 or later of Anything LLM. If upgrading is not immediately feasible, consider implementing stricter access controls to limit the privileges of authenticated users. Implement input validation and sanitization on all user-supplied data, particularly file paths, to prevent path traversal attacks. Review server logs for any suspicious activity related to file deletion or unusual path access patterns. Consider using a Web Application Firewall (WAF) with path traversal rules to block malicious requests.
Actualice Anything LLM a una versión posterior a la 1.0.0. Esto solucionará la vulnerabilidad de path traversal que permite la eliminación arbitraria de carpetas. Consulte el commit 8a7324d0e77a15186e1ad5e5119fca4fb224c39c para más detalles sobre la corrección.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-0763 is a path traversal vulnerability in Anything LLM versions up to 1.0.0, allowing authenticated attackers to delete arbitrary folders on a remote server due to insufficient input sanitization.
If you are using Anything LLM version 1.0.0 or earlier, you are potentially affected by this vulnerability. Assess your server access controls to determine your risk level.
The recommended fix is to upgrade to version 1.0.0 or later. As a temporary workaround, implement stricter input validation on the folder deletion endpoint.
There is currently no confirmed evidence of active exploitation in the wild, but the vulnerability's nature makes it a potential target.
Refer to the official Anything LLM release notes and security advisories on their project repository for the most up-to-date information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.