CVE-2024-0455

Name of the Vulnerable Software and Affected Versions AnythingLLM (affected versions not specified)

Description The issue allows users with proper authorization levels (manager, admin, and when in single user mode) to access sensitive information by using a web scraper to query a specific URL: "http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance". This URL is only resolvable from within an EC2 instance and could reveal connection and secret credentials for the instance, enabling unauthorized management. The exploit requires pre-existing knowledge of the hosting infrastructure and specific conditions such as improperly configured iptables or firewall rules.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.