CVE-2024-0436

Published: Feb 25, 2024

Modified: Mar 27, 2025

PUBLISHED

CVSS v3.0

7.1

HIGH

Description

Theoretically, it would be possible for an attacker to brute-force the password for an instance in single-user password protection mode via a timing attack given the linear nature of the `!==` used for comparison. The risk is minified by the additional overhead of the request, which varies in a non-constant nature making the attack less reliable to execute

Vendor	Product	Versions
mintplex-labs	mintplex-labs/anything-llm	affected `unspecified - < 1.0.0`

Weaknesses (CWE)

CWE-203

CVSS v3.0 Details

CVSS v3.0 Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

References

https://huntr.com/bounties/3e73cb96-c038-46a1-81b7-4d2215b36268

https://github.com/mintplex-labs/anything-llm/commit/3c859ba3038121b67fb98e87dc52617fa27cbef0

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-0436

Description

Affected Products

Weaknesses (CWE)

CVSS v3.0 Details

References