Vulnerabilities > CVE-2024-3033 - Incorrect Authorization vulnerability in Mintplexlabs Anythingllm 0.0.1/0.1.0

047910
CVSS 9.4 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
LOW
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
mintplexlabs
CWE-863
critical

Summary

An improper authorization vulnerability exists in the mintplex-labs/anything-llm application, specifically within the '/api/v/' endpoint and its sub-routes. This flaw allows unauthenticated users to perform destructive actions on the VectorDB, including resetting the database and deleting specific namespaces, without requiring any authorization or permissions. The issue affects all versions up to and including the latest version, with a fix introduced in version 1.0.0. Exploitation of this vulnerability can lead to complete data loss of document embeddings across all workspaces, rendering workspace chats and embeddable chat widgets non-functional. Additionally, attackers can list all namespaces, potentially exposing private workspace names.

Vulnerable Configurations

Part Description Count
Application
Mintplexlabs
3

Common Weakness Enumeration (CWE)