CVE-2024-5211

Name of the Vulnerable Software and Affected Versions anything-llm (affected versions not specified)

Description A path traversal issue allows a manager to bypass the normalizePath() function, enabling them to read, delete, or overwrite the 'anythingllm.db' database file and other files in the 'storage' directory, such as internal communication keys and .env secrets. This could lead to application compromise, denial of service (DoS) attacks, and unauthorized admin account takeover. The issue stems from improper validation of user-supplied input when setting a custom logo for the app, which can be manipulated to achieve arbitrary file read, deletion, or overwrite, and to execute a DoS attack by deleting critical files.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.