CVE-2024-47171: Agnai vulnerable to Relative Path Traversal in Image Upload
A vulnerability has been discovered in Agnai that permits attackers to upload image files at attacker-chosen location on the server. This issue can lead to image file uploads to unauthorized or unintended directories, including overwriting of existing images which may be used for defacement.
This does not affect:
- agnai.chat
- installations using S3-compatible storage
- self-hosting that is not publicly exposed
References
- github.com/advisories/GHSA-g54f-66mw-hv66
- github.com/agnaistic/agnai
- github.com/agnaistic/agnai/blob/75abbd5b0f5e48ddecc805365cf1574d05ee1ce5/srv/api/character.ts
- github.com/agnaistic/agnai/blob/75abbd5b0f5e48ddecc805365cf1574d05ee1ce5/srv/api/upload.ts
- github.com/agnaistic/agnai/security/advisories/GHSA-g54f-66mw-hv66
- nvd.nist.gov/vuln/detail/CVE-2024-47171
Detect and mitigate CVE-2024-47171 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →