CVE-2024-4284
📋 TL;DR
A vulnerability in mintplex-labs/anything-llm allows authenticated users with manager or admin privileges to cause a denial of service by modifying a user's ID to 0, rendering the account permanently inaccessible. This affects all deployments running versions before 1.0.0. The issue stems from insufficient input validation in user modification endpoints.
💻 Affected Systems
- mintplex-labs/anything-llm
📦 What is this software?
Anythingllm by Mintplexlabs
⚠️ Risk & Real-World Impact
Worst Case
Malicious insider or compromised admin account could permanently disable all user accounts, causing complete service disruption and requiring manual database intervention to restore access.
Likely Case
Accidental or intentional modification of user IDs by privileged users leads to account lockouts requiring administrative database access to fix.
If Mitigated
With proper access controls and monitoring, impact is limited to isolated account issues that can be resolved through database maintenance.
🎯 Exploit Status
Exploitation requires authenticated access with manager/admin privileges. The technique is straightforward once privileged access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.0
Vendor Advisory: https://github.com/mintplex-labs/anything-llm/commit/1b35bcbeab10b77e6dbd263cceecf1b965a40789
Restart Required: Yes
Instructions:
1. Update to version 1.0.0 or later. 2. Restart the anything-llm service. 3. Verify the fix by checking the version and testing user modification functionality.
🔧 Temporary Workarounds
Restrict Privileged Access
allLimit manager and admin roles to only essential personnel and implement strict access controls.
Database Monitoring
allMonitor database for user ID modifications, particularly setting IDs to 0.
🧯 If You Can't Patch
- Implement strict least-privilege access controls for manager and admin roles
- Monitor user modification API endpoints and database changes for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check if running version before 1.0.0 by examining the application version or commit hash. Vulnerable if commit id is 57984fa85c31988b2eff429adfc654c46e0c342a or earlier.Check Version:
Check application version in UI or configuration files, or run: git log --oneline -1Verify Fix Applied:
Confirm version is 1.0.0 or later. Test that user ID modification to value 0 is properly rejected with input validation.📡 Detection & Monitoring
Log Indicators:
- API requests modifying user IDs, particularly to value 0
- Failed login attempts from previously working accounts
- Database queries updating user table with ID=0
Network Indicators:
- HTTP POST requests to user modification endpoints with ID parameter set to 0
SIEM Query:
source="application_logs" AND (message="*user*modif*" OR message="*id=0*")🔗 References
- https://github.com/mintplex-labs/anything-llm/commit/1b35bcbeab10b77e6dbd263cceecf1b965a40789
- https://huntr.com/bounties/a5f45596-0aef-49e0-9f7d-63f1955a1552
- https://github.com/mintplex-labs/anything-llm/commit/1b35bcbeab10b77e6dbd263cceecf1b965a40789
- https://huntr.com/bounties/a5f45596-0aef-49e0-9f7d-63f1955a1552
