Platform
nodejs
Component
anything-llm
Fixed in
1.0.1
CVE-2024-0439 describes an authorization bypass vulnerability in Anything LLM. This allows unauthorized modification of settings, circumventing intended permission controls. The vulnerability impacts versions of Anything LLM up to and including 1.0.0. A fix is available in version 1.0.0.
This vulnerability allows an attacker, specifically a manager, to modify settings they should not be able to access. While the UI hides these settings as a convenience, the underlying HTTP request mechanism allows bypassing this restriction. This could lead to configuration changes that disrupt the LLM's functionality, compromise data integrity, or create unexpected behavior. The potential impact is moderate, as it requires direct access to the API endpoint and knowledge of the settings to modify, but the consequences of successful modification could be significant.
This vulnerability was publicly disclosed on 2024-02-25. There are currently no known public exploits or active campaigns targeting this CVE. The vulnerability is not listed on the CISA KEV catalog at the time of writing. The ease of exploitation is considered moderate, requiring knowledge of the API and the ability to craft HTTP requests.
Exploit Status
EPSS
0.22% (44% percentile)
CVSS Vector
The primary mitigation is to upgrade to version 1.0.0 of Anything LLM, which includes the fix for this authorization bypass. If upgrading is not immediately feasible, consider implementing stricter HTTP access controls to limit who can access the settings modification endpoints. Implement robust input validation to prevent malicious data from being submitted through the API. Regularly review access logs for suspicious activity.
Actualice a una versión posterior a la 1.0.0 donde se haya corregido la vulnerabilidad. Esto evitará que los usuarios con permisos de 'manager' modifiquen la configuración del sistema directamente a través de peticiones HTTP.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-0439 is a vulnerability in Anything LLM that allows unauthorized modification of settings due to a bypass in the authorization mechanism.
You are affected if you are using Anything LLM versions 1.0.0 or earlier.
Upgrade to version 1.0.0 of Anything LLM to remediate the vulnerability. Consider implementing stricter HTTP access controls as an interim measure.
There are currently no known public exploits or active campaigns targeting this CVE.
Refer to the official Anything LLM documentation and release notes for details regarding this vulnerability and the fix.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.