CVE-2024-0759
Severity CVSS v4.0:
Pending analysis
Type:
CWE-918
Server-Side Request Forgery (SSRF)
Publication date:
27/02/2024
Last modified:
07/03/2024
Description
Should an instance of AnythingLLM be hosted on an internal network and the attacked be explicitly granted a permission level of manager or admin, they could link-scrape internally resolving IPs of other services that are on the same network as AnythingLLM.<br />
<br />
This would require the attacker also be able to guess these internal IPs as `/*` ranging is not possible, but could be brute forced.<br />
<br />
There is a duty of care that other services on the same network would not be fully open and accessible via a simple CuRL with zero authentication as it is not possible to set headers or access via the link collector.
Impact
Base Score 3.x
7.70
Severity 3.x
HIGH