GHSA-G54F-66MW-HV66

Vulnerability from github – Published: 2024-09-26 18:16 – Updated: 2024-09-26 21:11
VLAI
Summary
Agnai vulnerable to Relative Path Traversal in Image Upload
Details

Summary

A vulnerability has been discovered in Agnai that permits attackers to upload image files at attacker-chosen location on the server. This issue can lead to image file uploads to unauthorized or unintended directories, including overwriting of existing images which may be used for defacement.

This does not affect:

  • agnai.chat
  • installations using S3-compatible storage
  • self-hosting that is not publicly exposed

CWE-35: Path Traversal

https://cwe.mitre.org/data/definitions/35.html

CVSS4.0 - 2.3 Low

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Details

This is a path traversal vulnerability. An attacker can exploit this vulnerability by sending a specially crafted request to the editCharacter handler https://github.com/agnaistic/agnai/blob/75abbd5b0f5e48ddecc805365cf1574d05ee1ce5/srv/api/character.ts#L140:

POST /api/character/28cbe508-2fa9-4890-886e-61d73e22006c%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%61%70%70%2f%64%69%73%74%2f%64%61%6e%79%61%6e%67 HTTP/1.1

The path traversal character sequence makes it’s way into the id variable which is then string interpolated into filename. 

export async function entityUpload(kind: string, id: string, attachment?: Attachment) {
  if (!attachment) return
  const filename = `${kind}-${id}`
  return upload(attachment, filename)
}

https://github.com/agnaistic/agnai/blob/75abbd5b0f5e48ddecc805365cf1574d05ee1ce5/srv/api/upload.ts#L55

No path normalization is conducted nor checked, so attackers can freely manipulate the path which the file is uploaded to.

Impact

This vulnerability is classified as a path traversal vulnerability. Attackers can upload image files to arbitrary locations, potentially overwriting critical system image files.

Credit

Security research in collaboration with Analyst Danyang Liu (noe223) @noe233

Severity
4.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
2.3 (Low)
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "agnai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.330"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-47171"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-35"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-26T18:16:13Z",
    "nvd_published_at": "2024-09-26T18:15:10Z",
    "severity": "LOW"
  },
  "details": "### Summary\n\nA vulnerability has been discovered in **Agnai** that permits attackers to upload image files at attacker-chosen location on the server. This issue can lead to image file uploads to unauthorized or unintended directories, including overwriting of existing images which may be used for defacement.\n\nThis does not affect:\n\n- agnai.chat\n- installations using S3-compatible storage\n- self-hosting that is not publicly exposed\n\n### CWE-35: Path Traversal\n\nhttps://cwe.mitre.org/data/definitions/35.html\n\n### CVSS4.0 - 2.3 Low\n\nCVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N\n\n### Details\n\nThis is a path traversal vulnerability. An attacker can exploit this vulnerability by sending a specially crafted request to the `editCharacter` handler https://github.com/agnaistic/agnai/blob/75abbd5b0f5e48ddecc805365cf1574d05ee1ce5/srv/api/character.ts#L140:\n\n```tsx\nPOST /api/character/28cbe508-2fa9-4890-886e-61d73e22006c%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%61%70%70%2f%64%69%73%74%2f%64%61%6e%79%61%6e%67 HTTP/1.1\n```\n\nThe path traversal character sequence makes it\u2019s way into the `id` variable which is then string interpolated into `filename`. \n\n```jsx\nexport async function entityUpload(kind: string, id: string, attachment?: Attachment) {\n  if (!attachment) return\n  const filename = `${kind}-${id}`\n  return upload(attachment, filename)\n}\n```\n\nhttps://github.com/agnaistic/agnai/blob/75abbd5b0f5e48ddecc805365cf1574d05ee1ce5/srv/api/upload.ts#L55\n\nNo path normalization is conducted nor checked, so attackers can freely manipulate the path which the file is uploaded to.\n\n### Impact\n\nThis vulnerability is classified as a path traversal vulnerability. Attackers can upload image files to arbitrary locations, potentially overwriting critical system image files.\n\n### Credit\nSecurity research in collaboration with Analyst [Danyang Liu (noe223)](https://github.com/noe233) @noe233",
  "id": "GHSA-g54f-66mw-hv66",
  "modified": "2024-09-26T21:11:07Z",
  "published": "2024-09-26T18:16:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/agnaistic/agnai/security/advisories/GHSA-g54f-66mw-hv66"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47171"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/agnaistic/agnai"
    },
    {
      "type": "WEB",
      "url": "https://github.com/agnaistic/agnai/blob/75abbd5b0f5e48ddecc805365cf1574d05ee1ce5/srv/api/character.ts#L140:"
    },
    {
      "type": "WEB",
      "url": "https://github.com/agnaistic/agnai/blob/75abbd5b0f5e48ddecc805365cf1574d05ee1ce5/srv/api/upload.ts#L55"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Agnai vulnerable to Relative Path Traversal in Image Upload"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.