CVE-2024-6842
HIGHCVSS v3
7.5
HIGH
EPSS Score
72.6%
exploit probability
CISA KEV
No
known exploited
Exploitation
—
SSVC status
Description
In version 1.5.5 of mintplex-labs/anything-llm, the `/setup-complete` API endpoint allows unauthorized users to access sensitive system settings. The data returned by the `currentSettings` function includes sensitive information such as API keys for search engines, which can be exploited by attackers to steal these keys and cause loss of user assets.
Technical Details
- Published
- 3/20/2025
Frequently Asked Questions
What is CVE-2024-6842?
In version 1.5.5 of mintplex-labs/anything-llm, the `/setup-complete` API endpoint allows unauthorized users to access sensitive system settings. The data returned by the `currentSettings` function includes sensitive information such as API keys for search engines, which can be exploited by attackers to steal these keys and cause loss of user assets.
Is CVE-2024-6842 actively exploited?
Active exploitation of CVE-2024-6842 has not been confirmed. The EPSS score is 72.6%, indicating the estimated probability of exploitation in the next 30 days.
What is the CVSS score for CVE-2024-6842?
CVE-2024-6842 has a CVSS v3 base score of 7.5 (HIGH severity).
Is CVE-2024-6842 affecting your environment?
Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.