How severe is CVE-2024-3104?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.6 out of 10.

What type of vulnerability is CVE-2024-3104?

This is classified as CWE-78, which is a common weakness in software security.

CVE-2024-3104 - CRITICAL Severity | CVSS 9.6

Vulnerability Description

A remote code execution vulnerability exists in mintplex-labs/anything-llm due to improper handling of environment variables. Attackers can exploit this vulnerability by injecting arbitrary environment variables via the `POST /api/system/update-env` endpoint, which allows for the execution of arbitrary code on the host running anything-llm. The vulnerability is present in the latest version of anything-llm, with the latest commit identified as fde905aac1812b84066ff72e5f2f90b56d4c3a59. This issue has been fixed in version 1.0.0. Successful exploitation could lead to code execution on the host, enabling attackers to read and modify data accessible to the user running the service, potentially leading to a denial of service.

Related Vulnerabilities

CVE-2020-15121

CRITICAL

CVSS:9.6(Critical)

In radare2 before version 4.5.0, malformed PDB file names in the PDB server path cause shell injection. To trigger the problem it's required to open the executable in radare2 and run idpd to trigger t...

CWE-782020

CVE-2020-15272

CRITICAL

CVSS:9.6(Critical)

In the git-tag-annotation-action (open source GitHub Action) before version 1.0.1, an attacker can execute arbitrary (*) shell commands if they can control the value of [the `tag` input] or manage to ...

CWE-782020

CVE-2022-21178

CRITICAL

CVSS:9.6(Critical)

An os command injection vulnerability exists in the confsrv ucloud_add_new_node functionality of TCL LinkHub Mesh Wifi MS1G_00_01.00_14. A specially-crafted network packet can lead to arbitrary comman...

CWE-782022

CVE-2022-22140

CRITICAL

CVSS:9.6(Critical)

An os command injection vulnerability exists in the confsrv ucloud_add_node functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to arbitrary command e...

CWE-782022

CVE-2023-28102

CRITICAL

CVSS:9.6(Critical)

discordrb is an implementation of the Discord API using Ruby. In discordrb before commit `91e13043ffa` the `encoder.rb` file unsafely constructs a shell string using the file parameter, which can pote...

CWE-782023

CVE-2023-3974

CRITICAL

CVSS:9.6(Critical)

OS Command Injection in GitHub repository jgraph/drawio prior to 21.4.0.

CWE-782023