CVE-2024-0436
published 2024-02-26CVE-2024-0436: Theoretically, it would be possible for an attacker to brute-force the password for an instance in single-user password protection mode via a timing attack…
PriorityP432medium5.9CVSS 3.1
AVNACHPRNUINSUCHINAN
EPSS
0.48%
37.8th percentile
Theoretically, it would be possible for an attacker to brute-force the password for an instance in single-user password protection mode via a timing attack given the linear nature of the `!==` used for comparison.
The risk is minified by the additional overhead of the request, which varies in a non-constant nature making the attack less reliable to execute
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chrome_chrome | — | — | |
| mintplex-labs | mintplex-labs_anything-llm | >= unspecified < 1.0.0 | 1.0.0 |
| mintplexlabs | anythingllm | < 1.0.0 | 1.0.0 |
CVSS provenance
nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv3.07.1HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cg5m-p8pg-93cg: Theoretically, it would be possible for an attacker to brute-force the password for an instance in single-user password protection mode via a timing a
ghsa_unreviewed·2024-02-26
CVE-2024-0436 [HIGH] CWE-203 GHSA-cg5m-p8pg-93cg: Theoretically, it would be possible for an attacker to brute-force the password for an instance in single-user password protection mode via a timing a
Theoretically, it would be possible for an attacker to brute-force the password for an instance in single-user password protection mode via a timing attack given the linear nature of the `!==` used for comparison.
The risk is minified by the additional overhead of the request, which varies in a non-constant nature making the attack less reliable to execute
Chrome
Stable Channel Update for Desktop: CVE-2025-0434
vendor_chrome·2025-01-14·CVSS 8.8
CVE-2025-0434 [HIGH] Stable Channel Update for Desktop: CVE-2025-0434
Stable Channel Update for Desktop
CVE-2025-0434: Out of bounds memory access in V8. Reported by ddme on 2024-10-21 [$7000][ 379652406 ] High CVE-2025-0435: Inappropriate implementation in Navigation
Reported by Alesandro Ortiz on 2024-11-18 [$3000][ 382786791 ] High CVE-2025-0436: Integer overflow in Skia
Severity: high
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/mintplex-labs/anything-llm/commit/3c859ba3038121b67fb98e87dc52617fa27cbef0https://huntr.com/bounties/3e73cb96-c038-46a1-81b7-4d2215b36268https://github.com/mintplex-labs/anything-llm/commit/3c859ba3038121b67fb98e87dc52617fa27cbef0https://huntr.com/bounties/3e73cb96-c038-46a1-81b7-4d2215b36268
2024-02-26
Published