How severe is CVE-2024-2913?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 6.5 out of 10.

What type of vulnerability is CVE-2024-2913?

This is classified as CWE-367, which is a common weakness in software security.

CVE-2024-2913 - MEDIUM Severity | CVSS 6.5

Vulnerability Description

A race condition vulnerability exists in the mintplex-labs/anything-llm repository, specifically within the user invite acceptance process. Attackers can exploit this vulnerability by sending multiple concurrent requests to accept a single user invite, allowing the creation of multiple user accounts from a single invite link intended for only one user. This bypasses the intended security mechanism that restricts invite acceptance to a single user, leading to unauthorized user creation without detection in the invite tab. The issue is due to the lack of validation for concurrent requests in the backend.

Related Vulnerabilities

CVE-2019-7307

MEDIUM

CVSS:6.5(Medium)

Apport before versions 2.14.1-0ubuntu3.29+esm1, 2.20.1-0ubuntu2.19, 2.20.9-0ubuntu7.7, 2.20.10-0ubuntu27.1, 2.20.11-0ubuntu5 contained a TOCTTOU vulnerability when reading the users ~/.apport-ignore.x...

CWE-3672019

CVE-2024-51563

MEDIUM

CVSS:6.5(Medium)

The virtio_vq_recordon function is subject to a time-of-check to time-of-use (TOCTOU) race condition.

CWE-3672024

CVE-2020-0358

MEDIUM

CVSS:6.4(Medium)

In SurfaceFlinger, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed ...

CWE-3672020

CVE-2020-11220

MEDIUM

CVSS:6.4(Medium)

While processing storage SCM commands there is a time of check or time of use window where a pointer used could be invalid at a specific time while executing the storage SCM call in Snapdragon Auto, S...

CWE-3672020

CVE-2020-11230

MEDIUM

CVSS:6.4(Medium)

Potential arbitrary memory corruption when the qseecom driver updates ion physical addresses in the buffer as it exposes a physical address to user land in Snapdragon Auto, Snapdragon Compute, Snapdra...

CWE-3672020

CVE-2020-12926

MEDIUM

CVSS:6.4(Medium)

The Trusted Platform Modules (TPM) reference software may not properly track the number of times a failed shutdown happens. This can leave the TPM in a state where confidential key material in the TPM...

CWE-3672020