CVE-2024-47170
published 2024-09-26CVE-2024-47170: Agnai is an artificial-intelligence-agnostic multi-user, mult-bot roleplaying chat system. A vulnerability in versions prior to 1.0.330 permits attackers to…
PriorityP424medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
EPSS
0.46%
36.2th percentile
Agnai is an artificial-intelligence-agnostic multi-user, mult-bot roleplaying chat system. A vulnerability in versions prior to 1.0.330 permits attackers to read arbitrary JSON files at attacker-chosen locations on the server. This issue can lead to unauthorized access to sensitive information and exposure of confidential configuration files. This only affects installations with `JSON_STORAGE` enabled which is intended to local/self-hosting only. Version 1.0.330 fixes this issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| agnai | agnai | < 1.0.330 | 1.0.330 |
| agnai | agnai | >= 0 < 1.0.330 | 1.0.330 |
| agnaistic | agnai | < 1.0.330 | 1.0.330 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Agnai File Disclosure Vulnerability: JSON via Path Traversal
ghsa·2024-09-26
CVE-2024-47170 [LOW] CWE-22 Agnai File Disclosure Vulnerability: JSON via Path Traversal
Agnai File Disclosure Vulnerability: JSON via Path Traversal
### CWE-35: Path Traversal
https://cwe.mitre.org/data/definitions/35.html
### CVSSv3.1 4.3 - Medium
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
### Summary
A vulnerability has been discovered in **Agnai** that permits attackers to read arbitrary JSON files at attacker-chosen locations on the server. This issue can lead to unauthorized access to sensitive information and exposure of confidential configuration files.
**This only affects installations with `JSON_STORAGE` enabled which is intended to local/self-hosting only.**
### Details & PoC
This is a path traversal vulnerability. An attacker can exploit this vulnerability by sending a specially crafted reques
OSV
Agnai File Disclosure Vulnerability: JSON via Path Traversal
osv·2024-09-26
CVE-2024-47170 [LOW] Agnai File Disclosure Vulnerability: JSON via Path Traversal
Agnai File Disclosure Vulnerability: JSON via Path Traversal
### CWE-35: Path Traversal
https://cwe.mitre.org/data/definitions/35.html
### CVSSv3.1 4.3 - Medium
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
### Summary
A vulnerability has been discovered in **Agnai** that permits attackers to read arbitrary JSON files at attacker-chosen locations on the server. This issue can lead to unauthorized access to sensitive information and exposure of confidential configuration files.
**This only affects installations with `JSON_STORAGE` enabled which is intended to local/self-hosting only.**
### Details & PoC
This is a path traversal vulnerability. An attacker can exploit this vulnerability by sending a specially crafted reques
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-09-26
Published