CVE-2024-47169
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Summary
A vulnerability in Agnai allows attackers to upload arbitrary files, including JavaScript, to attacker-chosen locations on the server. This enables the execution of commands within those files.
Impact
This vulnerability could result in unauthorized access, full server compromise, data leakage, and other critical security threats. The impact is severe, with high confidentiality, integrity, and availability impacts. Attackers can potentially gain control over the server, execute arbitrary code, and access or modify sensitive data.
Exploitation
There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.
Patch
A patch is available. The vulnerability was patched on September 26, 2024, as indicated by the patch details from the Github Advisory.
Mitigation
1. Update to the latest patched version of Agnai immediately. 2. If immediate patching is not possible, consider the following: - Use S3-compatible storage for installations, as these are not affected. - Ensure self-hosted installations are not publicly exposed. - Implement strict input validation and file upload restrictions. - Monitor for any suspicious file uploads or unexpected server behavior. 3. Regularly audit and restrict file upload functionalities. 4. Implement principle of least privilege for server processes. 5. Use Web Application Firewalls (WAF) to help detect and block malicious requests.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Timeline
Detection for the vulnerability has been added to Qualys (5001097)
Feedly found the first article mentioning CVE-2024-47169. See article
Feedly estimated the CVSS score as HIGH
NVD published the first details for CVE-2024-47169
A CVSS base score of 8.8 has been assigned.
EPSS Score was set to: 0.04% (Percentile: 9.6%)