Platform
nodejs
Component
anything-llm
Opgelost in
1.0.1
CVE-2024-0550 is a critical vulnerability affecting Anything LLM versions up to 1.0.0. It allows authenticated, privileged users (with 'manager' or 'admin' roles) to download arbitrary files from the server. This vulnerability arises from a flaw in the profile picture upload process, enabling attackers to bypass access controls and retrieve files they shouldn't be able to access. The vulnerability was published on 2024-02-28 and a fix is available in version 1.0.0.
The impact of CVE-2024-0550 is significant, particularly for deployments where sensitive data is stored on the server. An attacker who has already obtained privileged access (e.g., through a separate vulnerability or compromised credentials) can leverage this flaw to download any file accessible to the application's backend. This could include configuration files containing database credentials, source code, or other confidential information. The potential for data exfiltration is high, and the attacker could use the downloaded data for further malicious activities, such as identity theft, financial fraud, or disruption of services. The scope of the attack is limited to users with existing privileged access, but the consequences of a successful exploit can be severe.
CVE-2024-0550 is currently not listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not widely available, but the vulnerability's description suggests a relatively straightforward exploitation process for attackers with privileged access. The EPSS score is likely to be medium, reflecting the requirement for initial privileged access but the ease of exploitation once that access is obtained. The vulnerability was disclosed publicly on 2024-02-28.
Organizations using Anything LLM in environments where privileged user accounts exist are at risk. This includes deployments with multiple administrators or managers, and those where user roles and permissions are not strictly enforced. Shared hosting environments where multiple users share the same server instance are also particularly vulnerable, as a compromise of one privileged account could lead to widespread data exfiltration.
• nodejs / server:
# Monitor for suspicious file access attempts in application logs
grep -i "profile picture" /var/log/anythingllm/access.log• generic web:
# Check for endpoint exposure related to profile picture uploads
curl -I https://your-anythingllm-instance/api/v1/user/profile/picturedisclosure
Exploit Status
EPSS
0.85% (75% percentiel)
CVSS-vector
The primary mitigation for CVE-2024-0550 is to upgrade to version 1.0.0 of Anything LLM, which contains the fix for this vulnerability. If upgrading immediately is not feasible, consider implementing temporary workarounds to restrict file access. Specifically, review and strengthen access control lists (ACLs) on the server to limit the files accessible to the application's backend. Implement strict input validation on the profile picture upload endpoint to prevent the use of relative filepaths. Monitor application logs for suspicious activity, such as unusual file download requests. After upgrading, confirm the fix by attempting to upload a profile picture using a relative filepath and verifying that the download fails with an appropriate error message.
Werk bij naar een versie later dan 1.0.0 waar de kwetsbaarheid is verholpen. De update zal de mogelijkheid verminderen dat geprivilegieerde gebruikers ongeautoriseerde systeembestanden benaderen. Raadpleeg de commit e1dcd5ded010b03abd6aa32d1bf0668a48e38e17 voor meer details over de oplossing.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-0550 is a critical vulnerability in Anything LLM versions up to 1.0.0 that allows privileged users to download arbitrary files by manipulating profile picture uploads.
If you are using Anything LLM version 1.0.0 or earlier, you are potentially affected by this vulnerability. Check your current version and upgrade immediately if necessary.
The recommended fix is to upgrade to version 1.0.0 of Anything LLM. If immediate upgrade is not possible, implement temporary workarounds like restricting file access and strengthening ACLs.
While there is no widespread confirmation of active exploitation, the vulnerability's ease of exploitation makes it a potential target for attackers with privileged access.
Refer to the official Anything LLM security advisories and release notes for detailed information and updates regarding CVE-2024-0550.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.