CVE-2024-6842

HIGH

CVSS v3

7.5

HIGH

EPSS Score

72.6%

exploit probability

CISA KEV

No

known exploited

Exploitation

SSVC status

Description

In version 1.5.5 of mintplex-labs/anything-llm, the `/setup-complete` API endpoint allows unauthorized users to access sensitive system settings. The data returned by the `currentSettings` function includes sensitive information such as API keys for search engines, which can be exploited by attackers to steal these keys and cause loss of user assets.

Technical Details

Published
3/20/2025

Frequently Asked Questions

What is CVE-2024-6842?

In version 1.5.5 of mintplex-labs/anything-llm, the `/setup-complete` API endpoint allows unauthorized users to access sensitive system settings. The data returned by the `currentSettings` function includes sensitive information such as API keys for search engines, which can be exploited by attackers to steal these keys and cause loss of user assets.

Is CVE-2024-6842 actively exploited?

Active exploitation of CVE-2024-6842 has not been confirmed. The EPSS score is 72.6%, indicating the estimated probability of exploitation in the next 30 days.

What is the CVSS score for CVE-2024-6842?

CVE-2024-6842 has a CVSS v3 base score of 7.5 (HIGH severity).

Is CVE-2024-6842 affecting your environment?

Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.