AVID-2026-R1356

Description

Download and export of file via default user role (CVE-2024-0551)

Details

Enable exports of the database and associated exported information of the system via the default user role. The attacked would have to have been granted access to the system prior to the attack.

It is worth noting that the deterministic nature of the export name is lower risk as the UI for exporting would start the download at the same time, which once downloaded - deletes the export from the system.

The endpoint for exporting should simply be patched to a higher privilege level.

Reason for inclusion in AVID: The CVE describes improper access control enabling export of database data via the default user role, leading to potential data exfiltration. The affected artifact is mintplex-labs/anything-llm, an AI system component, implying relevance to AI software stacks and pipelines. This constitutes a software supply-chain vulnerability within AI systems (data exposure via a component used to build/deploy AI). The vulnerability is security-related (data leakage due to insufficient access control) and the report provides explicit evidence (CVE entry, description, affected artifacts).

References

• NVD entry
• https://huntr.com/bounties/f114c787-ab5f-4f83-afa5-c000435efb78
• https://github.com/mintplex-labs/anything-llm/commit/7aaa4b38e7112a6cd879c1238310c56b1844c6d8

Affected or Relevant Artifacts

• Developer: mintplex-labs
• Deployer: mintplex-labs
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2024-02-27
• Version: 0.3.3
• AVID Entry