Summary
A vulnerability has been discovered in Agnai that permits attackers to upload image files at attacker-chosen location on the server. This issue can lead to image file uploads to unauthorized or unintended directories, including overwriting of existing images which may be used for defacement.
This does not affect:
- agnai.chat
- installations using S3-compatible storage
- self-hosting that is not publicly exposed
CWE-35: Path Traversal
https://cwe.mitre.org/data/definitions/35.html
CVSS4.0 - 2.3 Low
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Details
This is a path traversal vulnerability. An attacker can exploit this vulnerability by sending a specially crafted request to the editCharacter
handler https://github.com/agnaistic/agnai/blob/75abbd5b0f5e48ddecc805365cf1574d05ee1ce5/srv/api/character.ts#L140:
POST /api/character/28cbe508-2fa9-4890-886e-61d73e22006c%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%61%70%70%2f%64%69%73%74%2f%64%61%6e%79%61%6e%67 HTTP/1.1
The path traversal character sequence makes it’s way into the id
variable which is then string interpolated into filename
.
export async function entityUpload(kind: string, id: string, attachment?: Attachment) {
if (!attachment) return
const filename = `${kind}-${id}`
return upload(attachment, filename)
}
https://github.com/agnaistic/agnai/blob/75abbd5b0f5e48ddecc805365cf1574d05ee1ce5/srv/api/upload.ts#L55
No path normalization is conducted nor checked, so attackers can freely manipulate the path which the file is uploaded to.
Impact
This vulnerability is classified as a path traversal vulnerability. Attackers can upload image files to arbitrary locations, potentially overwriting critical system image files.
Credit
Security research in collaboration with Analyst Danyang Liu (noe223) @noe233
References
Summary
A vulnerability has been discovered in Agnai that permits attackers to upload image files at attacker-chosen location on the server. This issue can lead to image file uploads to unauthorized or unintended directories, including overwriting of existing images which may be used for defacement.
This does not affect:
CWE-35: Path Traversal
https://cwe.mitre.org/data/definitions/35.html
CVSS4.0 - 2.3 Low
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Details
This is a path traversal vulnerability. An attacker can exploit this vulnerability by sending a specially crafted request to the
editCharacter
handler https://github.com/agnaistic/agnai/blob/75abbd5b0f5e48ddecc805365cf1574d05ee1ce5/srv/api/character.ts#L140:The path traversal character sequence makes it’s way into the
id
variable which is then string interpolated intofilename
.https://github.com/agnaistic/agnai/blob/75abbd5b0f5e48ddecc805365cf1574d05ee1ce5/srv/api/upload.ts#L55
No path normalization is conducted nor checked, so attackers can freely manipulate the path which the file is uploaded to.
Impact
This vulnerability is classified as a path traversal vulnerability. Attackers can upload image files to arbitrary locations, potentially overwriting critical system image files.
Credit
Security research in collaboration with Analyst Danyang Liu (noe223) @noe233
References