mintplex-labs/anything-llm version latest contains a vulnerability where sensitive information, specifically a password, is improperly stored within a JWT (JSON Web Token) used as a bearer token in single user mode. When decoded, the JWT reveals the password in plaintext. This improper storage of sensitive information poses significant security risks, as an attacker who gains access to the JWT can easily decode it and retrieve the password. The issue is fixed in version 1.0.3.
References
Link | Resource |
---|---|
https://github.com/mintplex-labs/anything-llm/commit/4430ddb05988470bc8f0479e7d07db1f7d4646ba | Patch |
https://huntr.com/bounties/20e9950f-ad41-4d6b-8bd0-c7f7051695b3 | Exploit Mitigation Third Party Advisory |
Configurations
History
31 Oct 2024, 15:49
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
References | () https://github.com/mintplex-labs/anything-llm/commit/4430ddb05988470bc8f0479e7d07db1f7d4646ba - Patch | |
References | () https://huntr.com/bounties/20e9950f-ad41-4d6b-8bd0-c7f7051695b3 - Exploit, Mitigation, Third Party Advisory | |
CPE | cpe:2.3:a:mintplexlabs:anythingllm:*:*:*:*:*:*:*:* | |
First Time |
Mintplexlabs anythingllm
Mintplexlabs |
29 Oct 2024, 13:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-10-29 13:15
Updated : 2024-10-31 15:49
NVD link : CVE-2024-7783
Mitre link : CVE-2024-7783
CVE.ORG link : CVE-2024-7783
JSON object : View
Products Affected
mintplexlabs
- anythingllm
CWE
CWE-312
Cleartext Storage of Sensitive Information