logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-47171 agnai

Package

Manager: npm
Name: agnai
Vulnerable Version: >=0 <1.0.330

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00173 pctl0.3911

Details

Agnai vulnerable to Relative Path Traversal in Image Upload ### Summary A vulnerability has been discovered in **Agnai** that permits attackers to upload image files at attacker-chosen location on the server. This issue can lead to image file uploads to unauthorized or unintended directories, including overwriting of existing images which may be used for defacement. This does not affect: - agnai.chat - installations using S3-compatible storage - self-hosting that is not publicly exposed ### CWE-35: Path Traversal https://cwe.mitre.org/data/definitions/35.html ### CVSS4.0 - 2.3 Low CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N ### Details This is a path traversal vulnerability. An attacker can exploit this vulnerability by sending a specially crafted request to the `editCharacter` handler https://github.com/agnaistic/agnai/blob/75abbd5b0f5e48ddecc805365cf1574d05ee1ce5/srv/api/character.ts#L140: ```tsx POST /api/character/28cbe508-2fa9-4890-886e-61d73e22006c%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%61%70%70%2f%64%69%73%74%2f%64%61%6e%79%61%6e%67 HTTP/1.1 ``` The path traversal character sequence makes it’s way into the `id` variable which is then string interpolated into `filename`. ```jsx export async function entityUpload(kind: string, id: string, attachment?: Attachment) { if (!attachment) return const filename = `${kind}-${id}` return upload(attachment, filename) } ``` https://github.com/agnaistic/agnai/blob/75abbd5b0f5e48ddecc805365cf1574d05ee1ce5/srv/api/upload.ts#L55 No path normalization is conducted nor checked, so attackers can freely manipulate the path which the file is uploaded to. ### Impact This vulnerability is classified as a path traversal vulnerability. Attackers can upload image files to arbitrary locations, potentially overwriting critical system image files. ### Credit Security research in collaboration with Analyst [Danyang Liu (noe223)](https://github.com/noe233) @noe233

Metadata

Created: 2024-09-26T18:16:13Z
Modified: 2024-09-26T21:11:07Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-g54f-66mw-hv66/GHSA-g54f-66mw-hv66.json
CWE IDs: ["CWE-22", "CWE-35"]
Alternative ID: GHSA-g54f-66mw-hv66
Finding: F063
Auto approve: 1