CVE-2024-5216

A vulnerability in mintplex-labs/anything-llm allows for a Denial of Service (DoS) condition due to uncontrolled resource consumption. Specifically, the issue arises from the application's failure to limit the size of usernames, enabling attackers to create users with excessively bulky texts in the username field. This exploit results in the user management panel becoming unresponsive, preventing administrators from performing critical user management actions such as editing, suspending, or deleting users. The impact of this vulnerability includes administrative paralysis, compromised security, and operational disruption, as it allows malicious users to perpetuate their presence within the system indefinitely, undermines the system's security posture, and degrades overall system performance.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/mintplex-labs/anything-llm/commit/3ef009de73c837f9025df8bba62572885c70c72f
https://huntr.com/bounties/8ec14991-ee35-493d-a8d3-21a1cfd57869
https://github.com/mintplex-labs/anything-llm/commit/3ef009de73c837f9025df8bba62572885c70c72f
https://huntr.com/bounties/8ec14991-ee35-493d-a8d3-21a1cfd57869

Configurations

No configuration.

History

21 Nov 2024, 09:47

Type	Values Removed	Values Added
References	~~() https://github.com/mintplex-labs/anything-llm/commit/3ef009de73c837f9025df8bba62572885c70c72f -~~	() https://github.com/mintplex-labs/anything-llm/commit/3ef009de73c837f9025df8bba62572885c70c72f -
References	~~() https://huntr.com/bounties/8ec14991-ee35-493d-a8d3-21a1cfd57869 -~~	() https://huntr.com/bounties/8ec14991-ee35-493d-a8d3-21a1cfd57869 -
Summary		(es) Una vulnerabilidad en mintplex-labs/anything-llm permite una condición de Denegación de Servicio (DoS) debido al consumo incontrolado de recursos. Específicamente, el problema surge porque la aplicación no limita el tamaño de los nombres de usuario, lo que permite a los atacantes crear usuarios con textos excesivamente voluminosos en el campo de nombre de usuario. Este exploit hace que el panel de administración de usuarios deje de responder, lo que impide que los administradores realicen acciones críticas de administración de usuarios, como editar, suspender o eliminar usuarios. El impacto de esta vulnerabilidad incluye parálisis administrativa, seguridad comprometida e interrupción operativa, ya que permite a los usuarios malintencionados perpetuar su presencia dentro del sistema indefinidamente, socava la postura de seguridad del sistema y degrada el rendimiento general del sistema.

25 Jun 2024, 11:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-06-25 11:15

Updated : 2024-11-21 09:47

NVD link : CVE-2024-5216

Mitre link : CVE-2024-5216

CVE.ORG link : CVE-2024-5216

JSON object : View

Products Affected

No product.

CWE

CWE-400

Uncontrolled Resource Consumption

7.5 /10