A privilege escalation vulnerability exists in mintplex-labs/anything-llm, allowing users with 'default' role to delete documents uploaded by 'admin'. Despite the intended restriction that prevents 'default' role users from deleting admin-uploaded documents, an attacker can exploit this vulnerability by sending a crafted DELETE request to the /api/system/remove-document endpoint. This vulnerability is due to improper access control checks, enabling unauthorized document deletion and potentially leading to loss of data integrity.
References
Configurations
No configuration.
History
21 Nov 2024, 08:47
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/mintplex-labs/anything-llm/commit/d5cde8b7c27a47ab45b05b441db16751537f1733 - | |
References | () https://huntr.com/bounties/607f03a0-ab4d-4905-b253-3d28bbbd363c - |
16 Apr 2024, 12:15
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
|
Summary | (en) A privilege escalation vulnerability exists in mintplex-labs/anything-llm, allowing users with 'default' role to delete documents uploaded by 'admin'. Despite the intended restriction that prevents 'default' role users from deleting admin-uploaded documents, an attacker can exploit this vulnerability by sending a crafted DELETE request to the /api/system/remove-document endpoint. This vulnerability is due to improper access control checks, enabling unauthorized document deletion and potentially leading to loss of data integrity. |
26 Feb 2024, 16:32
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-02-26 16:27
Updated : 2024-11-21 08:47
NVD link : CVE-2024-0798
Mitre link : CVE-2024-0798
CVE.ORG link : CVE-2024-0798
JSON object : View
Products Affected
No product.
CWE
CWE-272
Least Privilege Violation