7.5

CVE-2024-7783

Exploit

EPSS 0.1%
Veröffentlicht 29.10.2024 13:15:10
Zuletzt bearbeitet 31.10.2024 15:49:02
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

mintplex-labs/anything-llm version latest contains a vulnerability where sensitive information, specifically a password, is improperly stored within a JWT (JSON Web Token) used as a bearer token in single user mode. When decoded, the JWT reveals the password in plaintext. This improper storage of sensitive information poses significant security risks, as an attacker who gains access to the JWT can easily decode it and retrieve the password. The issue is fixed in version 1.0.3.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Mintplexlabs ≫ Anythingllm Version < 1.2.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.1%	0.271

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
security@huntr.dev	5.9	2.2	3.6	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-312 Cleartext Storage of Sensitive Information

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

https://github.com/mintplex-labs/anything-llm/commit/4430ddb05988470bc8f0479e7d07db1f7d4646ba

Patch

https://huntr.com/bounties/20e9950f-ad41-4d6b-8bd0-c7f7051695b3

Third Party Advisory

Exploit

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2024-7783

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-7783

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-7783

EUVD