VDB

CVE-2024-0759

CVE-2024-0759 PUBLISHED CVSS 7.699999809265137 HIGH

Should an instance of AnythingLLM be hosted on an internal network and the attacked be explicitly granted a permission level of manager or admin, they could link-scrape internally resolving IPs of other services that are on the same network as AnythingLLM. This would require the attacker also be able to guess these internal IPs as `/*` ranging is not possible, but could be brute forced. There is a duty of care that other services on the same network would not be fully open and accessible via a simple CuRL with zero authentication as it is not possible to set headers or access via the link collector.

EPSS 0.41% · 61.4th percentile

Risk Scores

CVSS v3.0
7.699999809265137
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
EPSS Score
0.41%
61.4th percentile

Affected Products

VendorProductVersions
mintplexlabsanythingllm0, 0
mintplexlabsanythingllm0, 0
mintplex-labsmintplex-labs/anything-llmunspecified, unspecified

Timeline

  • Feb 27, 2024 EPSS Score
  • Feb 27, 2024 CVE Published
  • Feb 27, 2024 PoC Published
  • Feb 27, 2024 PoC Published
  • Mar 24, 2024 EPSS Score
  • Apr 20, 2024 EPSS Score
  • May 16, 2024 EPSS Score
  • Jun 12, 2024 EPSS Score
  • Jul 8, 2024 EPSS Score
  • Aug 8, 2024 EPSS Score
  • Sep 3, 2024 EPSS Score
  • Sep 30, 2024 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›