CVE-2024-3102: 
Homebrew vulnerability analysis and mitigation

A JSON Injection vulnerability (CVE-2024-3102) was discovered in the mintplex-labs/anything-llm application, specifically affecting the username parameter during the login process at the /api/request-token endpoint. The vulnerability was disclosed on June 6, 2024, and affects versions up to (excluding) 1.0.0 of the application (NVD).

The vulnerability stems from improper handling of values in the login process, which allows attackers to perform brute force attacks without prior knowledge of the username. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The weakness is categorized as CWE-307 (Improper Restriction of Excessive Authentication Attempts) (NVD).

When successfully exploited, attackers can conduct blind attacks to ascertain the full username once the password is known, significantly compromising system security. The vulnerability primarily affects the confidentiality of the system, with no direct impact on integrity or availability (NVD).

A patch has been released that addresses the vulnerability by properly handling string conversion for username and password parameters during the authentication process. The fix involves modifying the token request functionality to prevent JSON injection attacks (GitHub Patch).