CVE-2024-0759

Name of the Vulnerable Software and Affected Versions AnythingLLM (affected versions not specified)

Description If an instance of AnythingLLM is hosted on an internal network and the attacker is granted a permission level of manager or admin, they could link-scrape internally to resolve IPs of other services on the same network. This would require the attacker to guess the internal IPs, as ranging is not possible, but it could be brute forced. Other services on the same network should not be fully open and accessible via a simple CuRL with zero authentication.

Recommendations As a temporary workaround, consider restricting access to the link collector until a patch is available. Avoid using the link collector to access other services on the same network until the issue is resolved. Restrict the permission level of users to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.