GHSA-g54f-66mw-hv66

Описание

Summary

A vulnerability has been discovered in Agnai that permits attackers to upload image files at attacker-chosen location on the server. This issue can lead to image file uploads to unauthorized or unintended directories, including overwriting of existing images which may be used for defacement.

This does not affect:

• agnai.chat
• installations using S3-compatible storage
• self-hosting that is not publicly exposed

CWE-35: Path Traversal

https://cwe.mitre.org/data/definitions/35.html

CVSS4.0 - 2.3 Low

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Details

This is a path traversal vulnerability. An attacker can exploit this vulnerability by sending a specially crafted request to the editCharacter handler https://github.com/agnaistic/agnai/blob/75abbd5b0f5e48ddecc805365cf1574d05ee1ce5/srv/api/character.ts#L140:

The path traversal character sequence makes it’s way into the id variable which is then string interpolated into filename.

https://github.com/agnaistic/agnai/blob/75abbd5b0f5e48ddecc805365cf1574d05ee1ce5/srv/api/upload.ts#L55

No path normalization is conducted nor checked, so attackers can freely manipulate the path which the file is uploaded to.

Impact

This vulnerability is classified as a path traversal vulnerability. Attackers can upload image files to arbitrary locations, potentially overwriting critical system image files.

Credit

Security research in collaboration with Analyst Danyang Liu (noe223) @noe233