CVE-2024-8248

Exploit

EPSS 0.24%
Veröffentlicht 20.03.2025 10:11:32
Zuletzt bearbeitet 15.07.2025 15:16:11
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

A vulnerability in the normalizePath function in mintplex-labs/anything-llm version git 296f041 allows for path traversal, leading to arbitrary file read and write in the storage directory. This can result in privilege escalation from manager to admin. The issue is fixed in version 1.2.2.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Mintplexlabs ≫ Anythingllm Version < 1.2.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.24%	0.471

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@huntr.dev	7.2	1.2	5.9	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-29 Path Traversal: '\..\filename'

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\..\filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory.

https://github.com/mintplex-labs/anything-llm/commit/47a5c7126c20e2277ee56e2c7ee11990886a40a7

Patch

https://huntr.com/bounties/7d6c3b7a-1116-450d-b539-9c911a97537e

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-8248

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-8248

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-8248

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-8248