CVE-2024-3028
📋 TL;DR
This vulnerability in mintplex-labs/anything-llm allows attackers to read and delete arbitrary files on the server by manipulating the 'logo_filename' parameter. Attackers can access sensitive files like the application's .env file containing credentials. Anyone running vulnerable versions of anything-llm is affected.
💻 Affected Systems
- mintplex-labs/anything-llm
📦 What is this software?
Anythingllm by Mintplexlabs
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise via credential theft from .env files, followed by data exfiltration, ransomware deployment, or lateral movement.
Likely Case
Sensitive file disclosure including configuration files, credentials, and application data, potentially leading to unauthorized access.
If Mitigated
Limited impact with proper network segmentation and file system permissions preventing access to critical system files.
🎯 Exploit Status
Exploitation requires API access but is straightforward with simple path traversal techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit 7de23dbb2da932fbfb39f56d981784d3702cf5ce and later
Vendor Advisory: https://github.com/mintplex-labs/anything-llm/commit/7de23dbb2da932fbfb39f56d981784d3702cf5ce
Restart Required: Yes
Instructions:
1. Update to the latest version of anything-llm. 2. Pull the latest code from GitHub. 3. Restart the anything-llm service.
🔧 Temporary Workarounds
API Endpoint Restriction
allRestrict access to the vulnerable '/system-preferences' API endpoint using web server or application firewall rules.
# Example nginx location block to restrict access
location /api/system-preferences {
deny all;
}
File System Permissions
linuxSet strict file system permissions to limit what files the anything-llm process can access.
# Restrict anything-llm to its own directory
chown -R anythingllm:anythingllm /opt/anything-llm
chmod 750 /opt/anything-llm
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the anything-llm API endpoints.
- Monitor for unusual file access patterns and API requests containing path traversal sequences.
🔍 How to Verify
Check if Vulnerable:
Check if your anything-llm version is older than commit 7de23dbb2da932fbfb39f56d981784d3702cf5ce by examining the git history or version metadata.Check Version:
git log --oneline -1Verify Fix Applied:
Verify the fix by checking that path traversal attempts in the logo_filename parameter are properly rejected with error messages.📡 Detection & Monitoring
Log Indicators:
- API requests to '/system-preferences' with unusual file paths in parameters
- Error logs showing file access failures for system files
Network Indicators:
- HTTP requests containing '../' sequences in parameters
- Unusual file read patterns from the anything-llm process
SIEM Query:
source="anything-llm.logs" AND (uri_path="/api/system-preferences" AND (param="logo_filename" AND value CONTAINS "../"))🔗 References
- https://github.com/mintplex-labs/anything-llm/commit/7de23dbb2da932fbfb39f56d981784d3702cf5ce
- https://huntr.com/bounties/41016b86-eabb-4161-ac81-40a1ca8e82ac
- https://github.com/mintplex-labs/anything-llm/commit/7de23dbb2da932fbfb39f56d981784d3702cf5ce
- https://huntr.com/bounties/41016b86-eabb-4161-ac81-40a1ca8e82ac
