CVE-2024-7783

mintplex-labs/anything-llm version latest contains a vulnerability where sensitive information, specifically a password, is improperly stored within a JWT (JSON Web Token) used as a bearer token in single user mode. When decoded, the JWT reveals the password in plaintext. This improper storage of sensitive information poses significant security risks, as an attacker who gains access to the JWT can easily decode it and retrieve the password. The issue is fixed in version 1.0.3.
Configurations

Configuration 1 (hide)

cpe:2.3:a:mintplexlabs:anythingllm:*:*:*:*:*:*:*:*

History

31 Oct 2024, 15:49

Type Values Removed Values Added
Summary
  • (es) La última versión de mintplex-labs/anything-llm contiene una vulnerabilidad en la que la información confidencial, específicamente una contraseña, se almacena incorrectamente dentro de un JWT (JSON Web Token) utilizado como token de portador en modo de usuario único. Cuando se decodifica, el JWT revela la contraseña en texto plano. Este almacenamiento inadecuado de información confidencial plantea importantes riesgos de seguridad, ya que un atacante que obtenga acceso al JWT puede decodificarlo fácilmente y recuperar la contraseña. El problema se solucionó en la versión 1.0.3.
CVSS v2 : unknown
v3 : 5.9
v2 : unknown
v3 : 7.5
References () https://github.com/mintplex-labs/anything-llm/commit/4430ddb05988470bc8f0479e7d07db1f7d4646ba - () https://github.com/mintplex-labs/anything-llm/commit/4430ddb05988470bc8f0479e7d07db1f7d4646ba - Patch
References () https://huntr.com/bounties/20e9950f-ad41-4d6b-8bd0-c7f7051695b3 - () https://huntr.com/bounties/20e9950f-ad41-4d6b-8bd0-c7f7051695b3 - Exploit, Mitigation, Third Party Advisory
CPE cpe:2.3:a:mintplexlabs:anythingllm:*:*:*:*:*:*:*:*
First Time Mintplexlabs anythingllm
Mintplexlabs

29 Oct 2024, 13:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-10-29 13:15

Updated : 2024-10-31 15:49


NVD link : CVE-2024-7783

Mitre link : CVE-2024-7783

CVE.ORG link : CVE-2024-7783


JSON object : View

Products Affected

mintplexlabs

  • anythingllm
CWE
CWE-312

Cleartext Storage of Sensitive Information