CVE-2024-3150— AnythingLLM 输入验证错误漏洞

Privilege Escalation in mintplex-labs/anything-llm

In mintplex-labs/anything-llm, a vulnerability exists in the thread update process that allows users with Default or Manager roles to escalate their privileges to Administrator. The issue arises from improper input validation when handling HTTP POST requests to the endpoint `/workspace/:slug/thread/:threadSlug/update`. Specifically, the application fails to validate or check user input before passing it to the `workspace_thread` Prisma model for execution. This oversight allows attackers to craft a Prisma relation query operation that manipulates the `users` model to change a user's role to admin. Successful exploitation grants attackers the highest level of user privileges, enabling them to see and perform all actions within the system.

N/A

对异常条件的处理不恰当

AnythingLLM 输入验证错误漏洞

AnythingLLM是符合业务要求的文档聊天机器人。 AnythingLLM 存在输入验证错误漏洞，该漏洞源于应用程序在将用户输入传递给 Prisma 模型执行之前未能验证或检查用户输入。

N/A

N/A