CVE-2024-0549

Exploit

EPSS 0.25%
Veröffentlicht 16.04.2024 00:15:07
Zuletzt bearbeitet 09.07.2025 19:37:14
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

mintplex-labs/anything-llm is vulnerable to a relative path traversal attack, allowing unauthorized attackers with a default role account to delete files and folders within the filesystem, including critical database files such as 'anythingllm.db'. The vulnerability stems from insufficient input validation and normalization in the handling of file and folder deletion requests. Successful exploitation results in the compromise of data integrity and availability.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Mintplexlabs ≫ Anythingllm Version < 1.0.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.25%	0.479

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@huntr.dev	8.1	2.8	5.2	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CWE-23 Relative Path Traversal

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

https://github.com/mintplex-labs/anything-llm/commit/026849df0224b6a8754f4103530bc015874def62

Patch

https://huntr.com/bounties/fcb4001e-0290-4b78-a2f0-91ee5d20cc72

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-0549

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-0549

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-0549

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-0549