| CVE-ID | ||
|---|---|---|
CVE-2024-0455 |
• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
|
|
| Description | ||
| The inclusion of the web scraper for AnythingLLM means that any user with the proper authorization level (manager, admin, and when in single user) could put in the URL ``` http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance ``` which is a special IP and URL that resolves only when the request comes from within an EC2 instance. This would allow the user to see the connection/secret credentials for their specific instance and be able to manage it regardless of who deployed it. The user would have to have pre-existing knowledge of the hosting infra which the target instance is deployed on, but if sent - would resolve if on EC2 and the proper `iptable` or firewall rule is not configured for their setup. | ||
| References | ||
| Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete. | ||
|
||
| Assigning CNA | ||
| Protect AI | ||
| Date Record Created | ||
| 20240112 | Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. | |
| Phase (Legacy) | ||
| Assigned (20240112) | ||
| Votes (Legacy) | ||
| Comments (Legacy) | ||
| Proposed (Legacy) | ||
| N/A | ||
| This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities. | ||
|
You can also search by reference using the CVE Reference Maps.
|
||
| For More Information: CVE Request Web Form (select "Other" from dropdown) | ||
