Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-h355-hm5h-cm8h: Agnai File Disclosure Vulnerability: JSON via Path Traversal

CWE-35: Path Traversal

https://cwe.mitre.org/data/definitions/35.html

CVSSv3.1 4.3 - Medium

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Summary

A vulnerability has been discovered in Agnai that permits attackers to read arbitrary JSON files at attacker-chosen locations on the server. This issue can lead to unauthorized access to sensitive information and exposure of confidential configuration files. This only affects installations with JSON_STORAGE enabled which is intended to local/self-hosting only.

Details & PoC

This is a path traversal vulnerability. An attacker can exploit this vulnerability by sending a specially crafted request:

GET /api/json/messages/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%61%70%70%2fpackage HTTP/1.1

In this example, the attacker retrieves the package.json file content from the server by manipulating the file path.

The request is processed by the loadMessages handler in agnai/srv/api/json/index.ts and a file is read and returned to the client. The read filename is constructed using string interpolation, with no guard or check for path traversal: https://github.com/agnaistic/agnai/blob/2b878b7ca66471c5dd080197ad9ca2f7f0022655/srv/api/json/index.ts#L77

Constraints

Environment constraints: JSON Storage enabled (non standard)

Impact

This vulnerability is classified as a path traversal vulnerability. Specifically, any JSON file on the server which the webserver process has read privileges for, can be disclosed to the attacker.

Credit

  • @ropwareJB
  • @noe233
ghsa
#vulnerability#web#js#git#auth

CWE-35: Path Traversal

https://cwe.mitre.org/data/definitions/35.html

CVSSv3.1 4.3 - Medium

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Summary

A vulnerability has been discovered in Agnai that permits attackers to read arbitrary JSON files at attacker-chosen locations on the server. This issue can lead to unauthorized access to sensitive information and exposure of confidential configuration files.
This only affects installations with JSON_STORAGE enabled which is intended to local/self-hosting only.

Details & PoC

This is a path traversal vulnerability. An attacker can exploit this vulnerability by sending a specially crafted request:

GET /api/json/messages/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%61%70%70%2fpackage HTTP/1.1

In this example, the attacker retrieves the package.json file content from the server by manipulating the file path.

The request is processed by the loadMessages handler in agnai/srv/api/json/index.ts and a file is read and returned to the client. The read filename is constructed using string interpolation, with no guard or check for path traversal: https://github.com/agnaistic/agnai/blob/2b878b7ca66471c5dd080197ad9ca2f7f0022655/srv/api/json/index.ts#L77

Constraints

Environment constraints: JSON Storage enabled (non standard)

Impact

This vulnerability is classified as a path traversal vulnerability. Specifically, any JSON file on the server which the webserver process has read privileges for, can be disclosed to the attacker.

Credit

  • @ropwareJB
  • @noe233

References

  • GHSA-h355-hm5h-cm8h

ghsa: Latest News

GHSA-pjwm-cr36-mwv3: ReDoS in giskard's transformation.py (GHSL-2024-324)