Plateforme
nodejs
Composant
anything-llm
Corrigé dans
1.0.1
CVE-2024-3279 describes an improper access control vulnerability within the mintplex-labs/anything-llm application. This flaw allows unauthenticated attackers to import arbitrary database files, leading to the potential deletion or manipulation of the core anythingllm.db database. Versions of Anything LLM prior to 1.0.0 are affected, and a fix has been released in version 1.0.0.
The impact of CVE-2024-3279 is significant due to the ease of exploitation and the potential for data compromise. An attacker can bypass authentication and directly import a malicious database file. This could result in the complete deletion of the existing anythingllm.db file, effectively crippling the application. More concerningly, an attacker could import a crafted database containing malicious data, which would then be served to legitimate users. This could lead to data theft, manipulation of application behavior, or even the injection of malicious code. The blast radius extends to all users of the affected application, as anyone interacting with the application could be exposed to the attacker's manipulated data.
CVE-2024-3279 was publicly disclosed on August 9, 2024. There is currently no indication of active exploitation campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Public proof-of-concept (PoC) code has not been widely released, but the simplicity of the vulnerability suggests that PoCs are likely to emerge.
Organizations and individuals deploying mintplex-labs/anything-llm in production environments are at risk. This includes those using the application for local development or testing purposes. Shared hosting environments where multiple users have access to the server are particularly vulnerable, as an attacker could potentially exploit the vulnerability through another user's account.
• nodejs / server:
ps aux | grep anything-llm | grep -v grep
# Check for unusual processes or arguments related to database imports• generic web:
curl -I http://your-anything-llm-server/import # Check for lack of authentication requirements
# Examine response headers for any unusual permissions or access control settingsdisclosure
Statut de l'Exploit
EPSS
0.26% (percentile 49%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2024-3279 is to immediately upgrade to version 1.0.0 or later of the mintplex-labs/anything-llm application. If upgrading is not immediately feasible, consider implementing strict file access controls on the server hosting the application. Restrict write access to the anythingllm.db file to only the application's user account. Additionally, implement input validation on the import endpoint to prevent the upload of unexpected file types or excessively large files. While a WAF might not directly prevent this vulnerability, it could be configured to flag suspicious file uploads or database manipulation attempts. After upgrading, confirm the fix by attempting to import a test database file as an unauthenticated user; the import should be rejected.
Mettez à jour Anything LLM à la version 1.0.0 ou ultérieure. Cette version contient une correction pour la vulnérabilité de contrôle d'accès incorrect dans le point de terminaison d'importation. La mise à jour empêchera les attaquants anonymes d'importer des bases de données malveillantes.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-3279 is a CRITICAL vulnerability in Anything LLM versions ≤1.0.0 that allows unauthenticated attackers to import malicious database files, potentially deleting or spoofing the 'anythingllm.db' file.
Yes, if you are using Anything LLM version 1.0.0 or earlier, you are vulnerable to this improper access control flaw.
Upgrade to version 1.0.0 or later of the Anything LLM application. As a temporary workaround, restrict write access to the 'anythingllm.db' file.
There is currently no confirmed evidence of active exploitation, but the vulnerability's simplicity suggests PoCs are likely to emerge.
Refer to the official mintplex-labs/anything-llm repository and associated release notes for the latest information and advisory regarding CVE-2024-3279.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.