Anythingllm
Source repositories
CVEs (69)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-0440 | 0.00 | — | 0.01 | Feb 25, 2024 | Attacker, with permission to submit a link or submits a link via POST to be collected that is using the file:// protocol can then introspect host files and other relatively stored files. | |||
| CVE-2024-0798 | 0.00 | — | 0.01 | Feb 25, 2024 | A privilege escalation vulnerability exists in mintplex-labs/anything-llm, allowing users with 'default' role to delete documents uploaded by 'admin'. Despite the intended restriction that prevents 'default' role users from deleting admin-uploaded documents, an attacker can… | |||
| CVE-2024-0455 | 0.00 | — | 0.01 | Feb 25, 2024 | The inclusion of the web scraper for AnythingLLM means that any user with the proper authorization level (manager, admin, and when in single user) could put in the URL ``` http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance ```… | |||
| CVE-2024-22422 | 0.00 | — | 0.01 | Jan 19, 2024 | AnythingLLM is an application that turns any document, resource, or piece of content into context that any LLM can use as references during chatting. In versions prior to commit `08d33cfd8` an unauthenticated API route (file export) can allow attacker to crash the server… | |||
| CVE-2023-5833 | 0.00 | — | 0.01 | Oct 30, 2023 | Improper Access Control in GitHub repository mintplex-labs/anything-llm prior to 0.1.0. | |||
| CVE-2023-5832 | 0.00 | — | 0.01 | Oct 30, 2023 | Improper Input Validation in GitHub repository mintplex-labs/anything-llm prior to 0.1.0. | |||
| CVE-2023-4899 | 0.00 | — | 0.01 | Sep 11, 2023 | SQL Injection in GitHub repository mintplex-labs/anything-llm prior to 0.0.1. | |||
| CVE-2023-4898 | 0.00 | — | 0.01 | Sep 11, 2023 | Authentication Bypass by Primary Weakness in GitHub repository mintplex-labs/anything-llm prior to 0.0.1. | |||
| CVE-2023-4897 | 0.00 | — | 0.01 | Sep 11, 2023 | Relative Path Traversal in GitHub repository mintplex-labs/anything-llm prior to 0.0.1. |
- CVE-2024-0440Feb 25, 2024risk 0.00cvss —epss 0.01
Attacker, with permission to submit a link or submits a link via POST to be collected that is using the file:// protocol can then introspect host files and other relatively stored files.
- CVE-2024-0798Feb 25, 2024risk 0.00cvss —epss 0.01
A privilege escalation vulnerability exists in mintplex-labs/anything-llm, allowing users with 'default' role to delete documents uploaded by 'admin'. Despite the intended restriction that prevents 'default' role users from deleting admin-uploaded documents, an attacker can…
- CVE-2024-0455Feb 25, 2024risk 0.00cvss —epss 0.01
The inclusion of the web scraper for AnythingLLM means that any user with the proper authorization level (manager, admin, and when in single user) could put in the URL ``` http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance ```…
- CVE-2024-22422Jan 19, 2024risk 0.00cvss —epss 0.01
AnythingLLM is an application that turns any document, resource, or piece of content into context that any LLM can use as references during chatting. In versions prior to commit `08d33cfd8` an unauthenticated API route (file export) can allow attacker to crash the server…
- CVE-2023-5833Oct 30, 2023risk 0.00cvss —epss 0.01
Improper Access Control in GitHub repository mintplex-labs/anything-llm prior to 0.1.0.
- CVE-2023-5832Oct 30, 2023risk 0.00cvss —epss 0.01
Improper Input Validation in GitHub repository mintplex-labs/anything-llm prior to 0.1.0.
- CVE-2023-4899Sep 11, 2023risk 0.00cvss —epss 0.01
SQL Injection in GitHub repository mintplex-labs/anything-llm prior to 0.0.1.
- CVE-2023-4898Sep 11, 2023risk 0.00cvss —epss 0.01
Authentication Bypass by Primary Weakness in GitHub repository mintplex-labs/anything-llm prior to 0.0.1.
- CVE-2023-4897Sep 11, 2023risk 0.00cvss —epss 0.01
Relative Path Traversal in GitHub repository mintplex-labs/anything-llm prior to 0.0.1.
Page 4 of 4