Received
CVE has been recently published to the CVE List and has been received by the NVD.

Products

anything-llm

1.0.0

Source

security@huntr.dev

CVE-2024-3104 details

Published : June 6, 2024, 6:15 p.m.
Last Modified : June 6, 2024, 6:15 p.m.

Description

A remote code execution vulnerability exists in mintplex-labs/anything-llm due to improper handling of environment variables. Attackers can exploit this vulnerability by injecting arbitrary environment variables via the `POST /api/system/update-env` endpoint, which allows for the execution of arbitrary code on the host running anything-llm. The vulnerability is present in the latest version of anything-llm, with the latest commit identified as fde905aac1812b84066ff72e5f2f90b56d4c3a59. This issue has been fixed in version 1.0.0. Successful exploitation could lead to code execution on the host, enabling attackers to read and modify data accessible to the user running the service, potentially leading to a denial of service.

CVSS Score

1	2	3	4	5	6	7	8	9.6	10

Weakness

Weakness	Name	Description

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

9.6

Exploitability Score

Impact Score

Base Severity

CRITICAL

Vector String : CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References

URL	Source
https://github.com/mintplex-labs/anything-llm/commit/bfedfebfab032e6f4d5a369c8a2f947c5d0c5286	security@huntr.dev
https://huntr.com/bounties/4f2fcb45-5828-4bec-985a-9d3a0ee00462	security@huntr.dev

This website uses the NVD API, but is not approved or certified by it.

CVE-2024-3104

Products

Source

Tags

CVE-2024-3104 details

Description

CVSS Score

Weakness

CVSS Data

Attack Vector

Attack Complexity

Privileges Required

Scope

Confidentiality Impact

Integrity Impact

Availability Impact

Base Score

Exploitability Score

Impact Score

Base Severity

References