CVE-2024-3033

{"id": "CVE-2024-3033", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security@huntr.dev", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 3.9}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.4, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 5.5, "exploitabilityScore": 3.9}]}, "published": "2024-06-06T18:15:17.040", "references": [{"url": "https://github.com/mintplex-labs/anything-llm/commit/bf8df60c02b9ddc7ba682809ca12c5637606393a", "tags": ["Patch"], "source": "security@huntr.dev"}, {"url": "https://huntr.com/bounties/8a98a0b4-7886-41c5-8624-fc5c21972e5a", "tags": ["Exploit", "Third Party Advisory"], "source": "security@huntr.dev"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "security@huntr.dev", "description": [{"lang": "en", "value": "CWE-863"}]}, {"type": "Secondary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "An improper authorization vulnerability exists in the mintplex-labs/anything-llm application, specifically within the '/api/v/' endpoint and its sub-routes. This flaw allows unauthenticated users to perform destructive actions on the VectorDB, including resetting the database and deleting specific namespaces, without requiring any authorization or permissions. The issue affects all versions up to and including the latest version, with a fix introduced in version 1.0.0. Exploitation of this vulnerability can lead to complete data loss of document embeddings across all workspaces, rendering workspace chats and embeddable chat widgets non-functional. Additionally, attackers can list all namespaces, potentially exposing private workspace names."}, {"lang": "es", "value": "Existe una vulnerabilidad de autorizaci\u00f3n inadecuada en la aplicaci\u00f3n mintplex-labs/anything-llm, espec\u00edficamente dentro del endpoint '/api/v/' y sus subrutas. Esta falla permite a usuarios no autenticados realizar acciones destructivas en VectorDB, incluido restablecer la base de datos y eliminar espacios de nombres espec\u00edficos, sin requerir autorizaci\u00f3n ni permisos. El problema afecta a todas las versiones hasta la \u00faltima versi\u00f3n incluida, con una soluci\u00f3n introducida en la versi\u00f3n 1.0.0. La explotaci\u00f3n de esta vulnerabilidad puede provocar la p\u00e9rdida completa de datos de documentos incrustados en todos los espacios de trabajo, lo que hace que los chats del espacio de trabajo y los widgets de chat incrustados no funcionen. Adem\u00e1s, los atacantes pueden enumerar todos los espacios de nombres, lo que podr\u00eda exponer los nombres de los espacios de trabajo privados."}], "lastModified": "2024-11-03T17:15:13.627", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mintplexlabs:anythingllm:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0D667E32-5A5C-479C-BB81-47F3BCA38C13", "versionEndExcluding": "1.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@huntr.dev"}