How severe is CVE-2024-0455?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.9 out of 10.

What type of vulnerability is CVE-2024-0455?

This is classified as CWE-918, which is a common weakness in software security.

CVE-2024-0455 - CRITICAL Severity | CVSS 9.9

Vulnerability Description

The inclusion of the web scraper for AnythingLLM means that any user with the proper authorization level (manager, admin, and when in single user) could put in the URL ``` http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance ``` which is a special IP and URL that resolves only when the request comes from within an EC2 instance. This would allow the user to see the connection/secret credentials for their specific instance and be able to manage it regardless of who deployed it. The user would have to have pre-existing knowledge of the hosting infra which the target instance is deployed on, but if sent - would resolve if on EC2 and the proper `iptable` or firewall rule is not configured for their setup.

Related Vulnerabilities

CVE-2017-13667

CRITICAL

CVSS:9.9(Critical)

OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: SSRF.

CWE-9182017

CVE-2018-1789

CRITICAL

CVSS:9.9(Critical)

IBM API Connect v2018.1.0 through v2018.3.4 could allow an attacker to send a specially crafted request to conduct a server side request forgery attack. IBM X-Force ID: 148939.

CWE-9182018

CVE-2021-32639

CRITICAL

CVSS:9.9(Critical)

Emissary is a P2P-based, data-driven workflow engine. Emissary version 6.4.0 is vulnerable to Server-Side Request Forgery (SSRF). In particular, the `RegisterPeerAction` endpoint and the `AddChildDire...

CWE-9182021

CVE-2021-33690

CRITICAL

CVSS:9.9(Critical)

Server-Side Request Forgery (SSRF) vulnerability has been detected in the SAP NetWeaver Development Infrastructure Component Build Service versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50The SAP NetWeave...

CWE-9182021

CVE-2024-6784

HIGH

CVSS:9.9(Critical)

Server-Side Request Forgery vulnerabilities were found providing a potential for access to unauthorized resources and unintended information disclosure. Affected products: ABB ASPECT - Enterprise v3.0...

CWE-9182024

CVE-2025-29972

CRITICAL

CVSS:9.9(Critical)

Server-Side Request Forgery (SSRF) in Azure allows an authorized attacker to perform spoofing over a network.

CWE-9182025