CVE-2024-13059

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-13059

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-13059.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-13059

Published

2025-02-10T19:15:37Z

Modified

2025-02-11T08:39:42.654157Z

Summary

[none]

Details

A vulnerability in mintplex-labs/anything-llm prior to version 1.3.1 allows for path traversal due to improper handling of non-ASCII filenames in the multer library. This vulnerability can lead to arbitrary file write, which can subsequently result in remote code execution. The issue arises when the filename transformation introduces '../' sequences, which are not sanitized by multer, allowing attackers with manager or admin roles to write files to arbitrary locations on the server.

References

Affected packages

Git / github.com/mintplex-labs/anything-llm

Affected ranges

Type: GIT
Repo: https://github.com/mintplex-labs/anything-llm
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

0b7bf68f2c02ca68075970fbf85d5a70ca5e94ca

Affected versions

v1.*

v1.0.0

v1.1.0

v1.1.1

v1.2.0

v1.2.1

v1.2.2

v1.2.3

v1.2.4

v1.3.0