CVE-2024-3279

Source
https://cve.org/CVERecord?id=CVE-2024-3279
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-3279.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-3279
Published
2024-08-09T00:00:14.589Z
Modified
2026-07-08T06:27:26.599418359Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVSS Calculator
Summary
Improper Access Control in mintplex-labs/anything-llm
Details

An improper access control vulnerability exists in the mintplex-labs/anything-llm application, specifically within the import endpoint. This vulnerability allows an anonymous attacker, without an account in the application, to import their own database file, leading to the deletion or spoofing of the existing anythingllm.db file. By exploiting this vulnerability, attackers can serve malicious data to users or collect information about them. The vulnerability stems from the application's failure to properly restrict access to the data-import functionality, allowing unauthorized database manipulation.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/3xxx/CVE-2024-3279.json",
    "cna_assigner": "@huntr_ai",
    "cwe_ids": [
        "CWE-306"
    ]
}
References

Affected packages

Git / github.com/mintplex-labs/anything-llm

Affected ranges

Type
GIT
Repo
https://github.com/mintplex-labs/anything-llm
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:mintplexlabs:anythingllm:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.0.0"
        }
    ],
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-3279.json"