CVE-2024-3279

An improper access control vulnerability exists in the mintplex-labs/anything-llm application, specifically within the import endpoint. This vulnerability allows an anonymous attacker, without an account in the application, to import their own database file, leading to the deletion or spoofing of the existing `anythingllm.db` file. By exploiting this vulnerability, attackers can serve malicious data to users or collect information about them. The vulnerability stems from the application's failure to properly restrict access to the data-import functionality, allowing unauthorized database manipulation.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/mintplex-labs/anything-llm/commit/08d33cfd8fc47c5052b6ea29597c964a9da641e2	Patch
https://huntr.com/bounties/303c5145-2c14-4945-914a-936be74dd04e	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:mintplexlabs:anythingllm:*:*:*:*:*:*:*:*

History

10 Jul 2025, 15:47

Type	Values Removed	Values Added
References	~~() https://github.com/mintplex-labs/anything-llm/commit/08d33cfd8fc47c5052b6ea29597c964a9da641e2 -~~	() https://github.com/mintplex-labs/anything-llm/commit/08d33cfd8fc47c5052b6ea29597c964a9da641e2 - Patch
References	~~() https://huntr.com/bounties/303c5145-2c14-4945-914a-936be74dd04e -~~	() https://huntr.com/bounties/303c5145-2c14-4945-914a-936be74dd04e - Exploit, Third Party Advisory
First Time		Mintplexlabs Mintplexlabs anythingllm
CWE		NVD-CWE-noinfo
CPE		cpe:2.3:a:mintplexlabs:anythingllm::::::::

Information

Published : 2024-08-12 13:38

Updated : 2025-07-10 15:47

NVD link : CVE-2024-3279

Mitre link : CVE-2024-3279

CVE.ORG link : CVE-2024-3279

JSON object : View

Products Affected

mintplexlabs

anythingllm

CWE

CWE-284

Improper Access Control

NVD-CWE-noinfo

{"id": "CVE-2024-3279", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security@huntr.dev", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2024-08-12T13:38:26.990", "references": [{"url": "https://github.com/mintplex-labs/anything-llm/commit/08d33cfd8fc47c5052b6ea29597c964a9da641e2", "tags": ["Patch"], "source": "security@huntr.dev"}, {"url": "https://huntr.com/bounties/303c5145-2c14-4945-914a-936be74dd04e", "tags": ["Exploit", "Third Party Advisory"], "source": "security@huntr.dev"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@huntr.dev", "description": [{"lang": "en", "value": "CWE-284"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "An improper access control vulnerability exists in the mintplex-labs/anything-llm application, specifically within the import endpoint. This vulnerability allows an anonymous attacker, without an account in the application, to import their own database file, leading to the deletion or spoofing of the existing `anythingllm.db` file. By exploiting this vulnerability, attackers can serve malicious data to users or collect information about them. The vulnerability stems from the application's failure to properly restrict access to the data-import functionality, allowing unauthorized database manipulation."}, {"lang": "es", "value": "Existe una vulnerabilidad de control de acceso inadecuado en la aplicaci\u00f3n mintplex-labs/anything-llm, espec\u00edficamente dentro del endpoint de importaci\u00f3n. Esta vulnerabilidad permite que un atacante an\u00f3nimo, sin una cuenta en la aplicaci\u00f3n, importe su propio archivo de base de datos, lo que lleva a la eliminaci\u00f3n o falsificaci\u00f3n del archivo `anythingllm.db` existente. Al explotar esta vulnerabilidad, los atacantes pueden entregar datos maliciosos a los usuarios o recopilar informaci\u00f3n sobre ellos. La vulnerabilidad se debe a que la aplicaci\u00f3n no restringe adecuadamente el acceso a la funcionalidad de importaci\u00f3n de datos, lo que permite la manipulaci\u00f3n no autorizada de la base de datos."}], "lastModified": "2025-07-10T15:47:24.220", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mintplexlabs:anythingllm:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0D667E32-5A5C-479C-BB81-47F3BCA38C13", "versionEndExcluding": "1.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@huntr.dev"}