Skip to content

File Disclosure: JSON via Path Traversal

Moderate
sceuick published GHSA-h355-hm5h-cm8h Sep 26, 2024

Package

npm agnai (npm)

Affected versions

< 1.0.330

Patched versions

>= 1.0.330

Description

CWE-35: Path Traversal

https://cwe.mitre.org/data/definitions/35.html

CVSSv3.1 4.3 - Medium

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Summary

We have identified a vulnerability in Agnai that permits attackers to read arbitrary JSON files at attacker-chosen locations on the server. This issue can lead to unauthorized access to sensitive information and exposure of confidential configuration files.
This only affects installations with JSON_STORAGE enabled which is intended to local/self-hosting only.

Details & PoC

This is a path traversal vulnerability. An attacker can exploit this vulnerability by sending a specially crafted request:

GET /api/json/messages/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%61%70%70%2fpackage HTTP/1.1

In this example, the attacker retrieves the package.json file content from the server by manipulating the file path.

The request is processed by the loadMessages handler in agnai/srv/api/json/index.ts and a file is read and returned to the client. The read filename is constructed using string interpolation, with no guard or check for path traversal:

const messages = await read(`messages-${params.id}.json`)

Constraints

Environment constraints: JSON Storage enabled (non standard)

Impact

This vulnerability is classified as a path traversal vulnerability. Specifically, any JSON file on the server which the webserver process has read privileges for, can be disclosed to the attacker.

Credit

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVE ID

CVE-2024-47170

Weaknesses

Credits