CVE-2024-0550

A user who is privileged already `manager` or `admin` can set their profile picture via the frontend API using a relative filepath to then user the PFP GET API to download any valid files. The attacker would have to have been granted privileged permissions to the system before executing this attack.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/mintplex-labs/anything-llm/commit/e1dcd5ded010b03abd6aa32d1bf0668a48e38e17	Patch
https://huntr.com/bounties/c6afeb5e-f211-4b3d-aa4b-6bad734217a6	Exploit Issue Tracking Patch Third Party Advisory
https://github.com/mintplex-labs/anything-llm/commit/e1dcd5ded010b03abd6aa32d1bf0668a48e38e17	Patch
https://huntr.com/bounties/c6afeb5e-f211-4b3d-aa4b-6bad734217a6	Exploit Issue Tracking Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:mintplexlabs:anythingllm:*:*:*:*:*:*:*:*

History

10 Jan 2025, 15:22

Type	Values Removed	Values Added
References	~~() https://github.com/mintplex-labs/anything-llm/commit/e1dcd5ded010b03abd6aa32d1bf0668a48e38e17 -~~	() https://github.com/mintplex-labs/anything-llm/commit/e1dcd5ded010b03abd6aa32d1bf0668a48e38e17 - Patch
References	~~() https://huntr.com/bounties/c6afeb5e-f211-4b3d-aa4b-6bad734217a6 -~~	() https://huntr.com/bounties/c6afeb5e-f211-4b3d-aa4b-6bad734217a6 - Exploit, Issue Tracking, Patch, Third Party Advisory
CPE		cpe:2.3:a:mintplexlabs:anythingllm::::::::
First Time		Mintplexlabs Mintplexlabs anythingllm
CVSS	v2 : ~~unknown~~ v3 : ~~9.6~~	v2 : unknown v3 : 6.5

Information

Published : 2024-02-28 05:15

Updated : 2025-01-10 15:22

NVD link : CVE-2024-0550

Mitre link : CVE-2024-0550

CVE.ORG link : CVE-2024-0550

JSON object : View

Products Affected

mintplexlabs

anythingllm

CWE

CWE-23

Relative Path Traversal

{"id": "CVE-2024-0550", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security@huntr.dev", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 3.1}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2024-02-28T05:15:08.770", "references": [{"url": "https://github.com/mintplex-labs/anything-llm/commit/e1dcd5ded010b03abd6aa32d1bf0668a48e38e17", "tags": ["Patch"], "source": "security@huntr.dev"}, {"url": "https://huntr.com/bounties/c6afeb5e-f211-4b3d-aa4b-6bad734217a6", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "source": "security@huntr.dev"}, {"url": "https://github.com/mintplex-labs/anything-llm/commit/e1dcd5ded010b03abd6aa32d1bf0668a48e38e17", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://huntr.com/bounties/c6afeb5e-f211-4b3d-aa4b-6bad734217a6", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@huntr.dev", "description": [{"lang": "en", "value": "CWE-23"}]}], "descriptions": [{"lang": "en", "value": "A user who is privileged already `manager` or `admin` can set their profile picture via the frontend API using a relative filepath to then user the PFP GET API to download any valid files.\n\nThe attacker would have to have been granted privileged permissions to the system before executing this attack."}, {"lang": "es", "value": "Un usuario que ya tiene privilegios de \"administrador\" o \"administrador\" puede configurar su imagen de perfil a trav\u00e9s de la API de interfaz utilizando una ruta de archivo relativa para luego usar la API GET de PFP para descargar cualquier archivo v\u00e1lido. Al atacante se le tendr\u00edan que haber concedido permisos privilegiados en el sistema antes de ejecutar este ataque."}], "lastModified": "2025-01-10T15:22:26.327", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mintplexlabs:anythingllm:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0D667E32-5A5C-479C-BB81-47F3BCA38C13", "versionEndExcluding": "1.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@huntr.dev"}