CVE - CVE-2024-3029

CVE-ID
CVE-2024-3029	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
In mintplex-labs/anything-llm, an attacker can exploit improper input validation by sending a malformed JSON payload to the '/system/enable-multi-user' endpoint. This triggers an error that is caught by a catch block, which in turn deletes all users and disables the 'multi_user_mode'. The vulnerability allows an attacker to remove all existing users and potentially create a new admin user without requiring a password, leading to unauthorized access and control over the application.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:https://github.com/mintplex-labs/anything-llm/commit/99cfee1e7025fe9a0919a4d506ba1e1b819f6073 URL:https://github.com/mintplex-labs/anything-llm/commit/99cfee1e7025fe9a0919a4d506ba1e1b819f6073 MISC:https://huntr.com/bounties/7189a7a0-9830-459d-b853-bdc2559999a0 URL:https://huntr.com/bounties/7189a7a0-9830-459d-b853-bdc2559999a0
Assigning CNA
Protect AI
Date Record Created
20240327	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20240327)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)