// For flags

CVE-2024-3033

Improper Authorization in mintplex-labs/anything-llm

Severity Score

9.1
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

An improper authorization vulnerability exists in the mintplex-labs/anything-llm application, specifically within the '/api/v/' endpoint and its sub-routes. This flaw allows unauthenticated users to perform destructive actions on the VectorDB, including resetting the database and deleting specific namespaces, without requiring any authorization or permissions. The issue affects all versions up to and including the latest version, with a fix introduced in version 1.0.0. Exploitation of this vulnerability can lead to complete data loss of document embeddings across all workspaces, rendering workspace chats and embeddable chat widgets non-functional. Additionally, attackers can list all namespaces, potentially exposing private workspace names.

Existe una vulnerabilidad de autorización inadecuada en la aplicación mintplex-labs/anything-llm, específicamente dentro del endpoint '/api/v/' y sus subrutas. Esta falla permite a usuarios no autenticados realizar acciones destructivas en VectorDB, incluido restablecer la base de datos y eliminar espacios de nombres específicos, sin requerir autorización ni permisos. El problema afecta a todas las versiones hasta la última versión incluida, con una solución introducida en la versión 1.0.0. La explotación de esta vulnerabilidad puede provocar la pérdida completa de datos de documentos incrustados en todos los espacios de trabajo, lo que hace que los chats del espacio de trabajo y los widgets de chat incrustados no funcionen. Además, los atacantes pueden enumerar todos los espacios de nombres, lo que podría exponer los nombres de los espacios de trabajo privados.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
Poc
Automatable
Yes
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2024-03-27 CVE Reserved
  • 2024-06-06 CVE Published
  • 2024-11-03 CVE Updated
  • 2025-07-15 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-285: Improper Authorization
  • CWE-863: Incorrect Authorization
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Mintplexlabs
Search vendor "Mintplexlabs"
 Anythingllm
Search vendor "Mintplexlabs" for product "Anythingllm"
*-
Affected