How severe is CVE-2024-3279?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.1 out of 10.

What type of vulnerability is CVE-2024-3279?

This is classified as CWE-284, which is a common weakness in software security.

CVE-2024-3279 - CRITICAL Severity | CVSS 9.1

Vulnerability Description

An improper access control vulnerability exists in the mintplex-labs/anything-llm application, specifically within the import endpoint. This vulnerability allows an anonymous attacker, without an account in the application, to import their own database file, leading to the deletion or spoofing of the existing `anythingllm.db` file. By exploiting this vulnerability, attackers can serve malicious data to users or collect information about them. The vulnerability stems from the application's failure to properly restrict access to the data-import functionality, allowing unauthorized database manipulation.

Related Vulnerabilities

CVE-2013-5654

CRITICAL

CVSS:9.1(Critical)

Vulnerability in YingZhi Python Programming Language v1.9 allows arbitrary anonymous uploads to the phone's storage

CWE-2842013

CVE-2015-1000009

CRITICAL

CVSS:9.1(Critical)

Open proxy in Wordpress plugin google-adsense-and-hotel-booking v1.05

CWE-2842015

CVE-2015-8361

CRITICAL

CVSS:9.1(Critical)

Multiple unspecified services in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 do not require authentication, which allows remote attackers to obtain sensitive information, modify settings, o...

CWE-2842015

CVE-2016-4501

CRITICAL

CVSS:9.1(Critical)

Environmental Systems Corporation (ESC) 8832 Data Controller 3.02 and earlier mishandles sessions, which allows remote attackers to bypass authentication and make arbitrary configuration changes via u...

CWE-2842016

CVE-2016-4694

CRITICAL

CVSS:9.1(Critical)

The Apache HTTP Server in Apple OS X before 10.12 and OS X Server before 5.2 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted CGI client data ...

CWE-2842016

CVE-2016-5599

CRITICAL

CVSS:9.1(Critical)

Unspecified vulnerability in the Oracle Advanced Supply Chain Planning component in Oracle Supply Chain Products Suite 12.2.3 through 12.2.5 allows remote attackers to affect confidentiality and integ...

CWE-2842016