CVE-2024-47170

Agnai is an artificial-intelligence-agnostic multi-user, mult-bot roleplaying chat system. A vulnerability in versions prior to 1.0.330 permits attackers to read arbitrary JSON files at attacker-chosen locations on the server. This issue can lead to unauthorized access to sensitive information and exposure of confidential configuration files. This only affects installations with `JSON_STORAGE` enabled which is intended to local/self-hosting only. Version 1.0.330 fixes this issue.

Agnai is an artificial-intelligence-agnostic multi-user, mult-bot roleplaying chat system. A vulnerability in versions prior to 1.0.330 permits attackers to read arbitrary JSON files at attacker-chosen locations on the server. This issue can lead to unauthorized access to sensitive information and exposure of confidential configuration files. This only affects installations with `JSON_STORAGE` enabled which is intended to local/self-hosting only. Version 1.0.330 fixes this issue.

### CWE-35: Path Traversal https://cwe.mitre.org/data/definitions/35.html ### CVSSv3.1 4.3 - Medium CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N ### Summary A vulnerability has been discovered in **Agnai** that permits attackers to read arbitrary JSON files at attacker-chosen locations on the server. This issue can lead to unauthorized access to sensitive information and exposure of confidential configuration files. **This only affects installations with `JSON_STORAGE` enabled which is intended to local/self-hosting only.** ### Details & PoC This is a path traversal vulnerability. An attacker can exploit this vulnerability by sending a specially crafted request: ```tsx GET /api/json/messages/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%61%70%70%2fpackage HTTP/1.1 ``` In this example, the attacker retrieves the `package.json` file content from the server by manipulating the file path. The request is processed by the `loadMessages` handler in `agnai/srv/api/json/index.ts` and a file is read and returned to the client. The read filename is constructed using string interpolation, with no guard or check for path traversal: https://github.com/agnaistic/agnai/blob/2b878b7ca66471c5dd080197ad9ca2f7f0022655/srv/api/json/index.ts#L77 #### Constraints Environment constraints: JSON Storage enabled (non standard) ### Impact This vulnerability is classified as a path traversal vulnerability. Specifically, any JSON file on the server which the webserver process has read privileges for, can be disclosed to the attacker. ### Credit - @ropwareJB - @noe233

### CWE-35: Path Traversal https://cwe.mitre.org/data/definitions/35.html ### CVSSv3.1 4.3 - Medium CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N ### Summary A vulnerability has been discovered in **Agnai** that permits attackers to read arbitrary JSON files at attacker-chosen locations on the server. This issue can lead to unauthorized access to sensitive information and exposure of confidential configuration files. **This only affects installations with `JSON_STORAGE` enabled which is intended to local/self-hosting only.** ### Details & PoC This is a path traversal vulnerability. An attacker can exploit this vulnerability by sending a specially crafted request: ```tsx GET /api/json/messages/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%61%70%70%2fpackage HTTP/1.1 ``` In this example, the attacker retrieves the `package.json` file content from the server by manipulating the file path. The request is processed by the `loadMessages` handler in `agnai/srv/api/json/index.ts` and a file is read and returned to the client. The read filename is constructed using string interpolation, with no guard or check for path traversal: https://github.com/agnaistic/agnai/blob/2b878b7ca66471c5dd080197ad9ca2f7f0022655/srv/api/json/index.ts#L77 #### Constraints Environment constraints: JSON Storage enabled (non standard) ### Impact This vulnerability is classified as a path traversal vulnerability. Specifically, any JSON file on the server which the webserver process has read privileges for, can be disclosed to the attacker. ### Credit - @ropwareJB - @noe233

Agnai es un sistema de chat multiusuario y multibot que funciona con inteligencia artificial y es independiente de la misma. Una vulnerabilidad en las versiones anteriores a la 1.0.330 permite a los atacantes leer archivos JSON arbitrarios en ubicaciones elegidas por el atacante en el servidor. Este problema puede provocar acceso no autorizado a información confidencial y la exposición de archivos de configuración confidenciales. Esto solo afecta a las instalaciones con `JSON_STORAGE` habilitado, que está destinado únicamente al alojamiento local o propio. La versión 1.0.330 soluciona este problema.