CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-0436 – Prevent timing attack for single-user password check
https://notcve.org/view.php?id=CVE-2024-0436
25 Feb 2024 — Theoretically, it would be possible for an attacker to brute-force the password for an instance in single-user password protection mode via a timing attack given the linear nature of the `!==` used for comparison. The risk is minified by the additional overhead of the request, which varies in a non-constant nature making the attack less reliable to execute En teoría, sería posible que un atacante aplicara fuerza bruta a la contraseña de una instancia en modo de protección de contraseña de usuario único medi... • https://github.com/mintplex-labs/anything-llm/commit/3c859ba3038121b67fb98e87dc52617fa27cbef0 • CWE-203: Observable Discrepancy CWE-764: Multiple Locks of a Critical Resource •
CVSS: 9.9EPSS: 0%CPEs: 2EXPL: 0CVE-2024-0455 – SSRF on AWS deployed instances of AnythingLLM via /metadata
https://notcve.org/view.php?id=CVE-2024-0455
25 Feb 2024 — The inclusion of the web scraper for AnythingLLM means that any user with the proper authorization level (manager, admin, and when in single user) could put in the URL ``` http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance ``` which is a special IP and URL that resolves only when the request comes from within an EC2 instance. This would allow the user to see the connection/secret credentials for their specific instance and be able to manage it regardless of wh... • https://github.com/mintplex-labs/anything-llm/commit/b2b2c2afe15c48952d57b4d01e7108f9515c5f55 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.8EPSS: 2%CPEs: 1EXPL: 1CVE-2024-22422 – Unauthenticated Denial of Service (DOS) attack in AnythingLLM
https://notcve.org/view.php?id=CVE-2024-22422
19 Jan 2024 — AnythingLLM is an application that turns any document, resource, or piece of content into context that any LLM can use as references during chatting. In versions prior to commit `08d33cfd8` an unauthenticated API route (file export) can allow attacker to crash the server resulting in a denial of service attack. The “data-export” endpoint is used to export files using the filename parameter as user input. The endpoint takes the user input, filters it to avoid directory traversal attacks, fetches the file fro... • https://github.com/Mintplex-Labs/anything-llm/commit/08d33cfd8fc47c5052b6ea29597c964a9da641e2 • CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5833 – Improper Access Control in mintplex-labs/anything-llm
https://notcve.org/view.php?id=CVE-2023-5833
30 Oct 2023 — Improper Access Control in GitHub repository mintplex-labs/anything-llm prior to 0.1.0. Control de acceso inadecuado en el repositorio de GitHub mintplex-labs/anything-llm anterior a 0.1.0. • https://github.com/mintplex-labs/anything-llm/commit/d5b1f84a4c7991987eac3454d4f1b4067841d783 • CWE-284: Improper Access Control •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5832 – Improper Input Validation in mintplex-labs/anything-llm
https://notcve.org/view.php?id=CVE-2023-5832
30 Oct 2023 — Improper Input Validation in GitHub repository mintplex-labs/anything-llm prior to 0.1.0. Validación de entrada incorrecta en el repositorio de GitHub mintplex-labs/anything-llm anterior a 0.1.0. • https://github.com/mintplex-labs/anything-llm/commit/18798c5b640018aaee924e0afd941705d88df92e • CWE-20: Improper Input Validation •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-4897 – Relative Path Traversal in mintplex-labs/anything-llm
https://notcve.org/view.php?id=CVE-2023-4897
11 Sep 2023 — Relative Path Traversal in GitHub repository mintplex-labs/anything-llm prior to 0.0.1. Path Traversal Relativo en el repositorio de GitHub mintplex-labs/anything-llm anterior a 0.0.1. • https://github.com/mintplex-labs/anything-llm/commit/3c88aec034934bcbad30c5ef1cab62cbbdb98e64 • CWE-23: Relative Path Traversal •