Description

A remote code execution vulnerability exists in mintplex-labs/anything-llm due to improper handling of environment variables. Attackers can exploit this vulnerability by injecting arbitrary environment variables via the `POST /api/system/update-env` endpoint, which allows for the execution of arbitrary code on the host running anything-llm. The vulnerability is present in the latest version of anything-llm, with the latest commit identified as fde905aac1812b84066ff72e5f2f90b56d4c3a59. This issue has been fixed in version 1.0.0. Successful exploitation could lead to code execution on the host, enabling attackers to read and modify data accessible to the user running the service, potentially leading to a denial of service.

INFO

Published Date :

2024-06-06T17:50:18.630Z

Last Modified :

2024-08-01T19:32:42.539Z

Source :

@huntr_ai
AFFECTED PRODUCTS

The following products are affected by CVE-2024-3104 vulnerability.

Vendors Products
Mintplexlabs
  • Anythingllm
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-3104.

URL Resource
https://github.com/mintplex-labs/anything-llm/commit/bfedfebfab032e6f4d5a369c8a2f947c5d0c5286 cve-icon cve-icon cve-icon
https://huntr.com/bounties/4f2fcb45-5828-4bec-985a-9d3a0ee00462 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact