CVE-2024-5213

In mintplex-labs/anything-llm versions up to and including 1.5.3, an issue was discovered where the password hash of a user is returned in the response after login (`POST /api/request-token`) and after account creations (`POST /api/admin/users/new`). This exposure occurs because the entire User object, including the bcrypt password hash, is included in the response sent to the frontend. This practice could potentially lead to sensitive information exposure despite the use of bcrypt, a strong hashing algorithm. It is recommended not to expose any clues about passwords to the frontend.
Configurations

Configuration 1 (hide)

cpe:2.3:a:mintplexlabs:anythingllm:*:*:*:*:*:*:*:*

History

17 Jul 2024, 14:36

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 5.3
v2 : unknown
v3 : 6.5
References () https://github.com/mintplex-labs/anything-llm/commit/9df4521113ddb9a3adb5d0e3941e7d494992629c - () https://github.com/mintplex-labs/anything-llm/commit/9df4521113ddb9a3adb5d0e3941e7d494992629c - Patch
References () https://huntr.com/bounties/8794fb65-50aa-40e3-b348-a29838dbf63d - () https://huntr.com/bounties/8794fb65-50aa-40e3-b348-a29838dbf63d - Exploit, Third Party Advisory
CPE cpe:2.3:a:mintplexlabs:anythingllm:*:*:*:*:*:*:*:*
First Time Mintplexlabs
Mintplexlabs anythingllm

20 Jun 2024, 12:43

Type Values Removed Values Added
Summary
  • (es) En las versiones de mintplex-labs/anything-llm hasta la 1.5.3 incluida, se descubrió un problema por el cual el hash de la contraseña de un usuario se devuelve en la respuesta después de iniciar sesión (`POST /api/request-token`) y después de la creación de la cuenta. (`POST /api/admin/usuarios/nuevo`). Esta exposición se produce porque todo el objeto Usuario, incluido el hash de la contraseña de bcrypt, se incluye en la respuesta enviada al frontend. Esta práctica podría conducir potencialmente a la exposición de información confidencial a pesar del uso de bcrypt, un potente algoritmo hash. Se recomienda no exponer ninguna pista sobre contraseñas en la interfaz.

20 Jun 2024, 03:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-06-20 03:15

Updated : 2024-07-17 14:36


NVD link : CVE-2024-5213

Mitre link : CVE-2024-5213

CVE.ORG link : CVE-2024-5213


JSON object : View

Products Affected

mintplexlabs

  • anythingllm
CWE
CWE-1230

Exposure of Sensitive Information Through Metadata