CVE-2024-47171 MEDIUM

CVE-2024-47171: Agnai vulnerable to Relative Path Traversal in Image Upload

Vendor Agnaistic
Product agnai
Weakness CWE-35
Published September 26, 2024
Last update September 26, 2024

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Agnai is an artificial-intelligence-agnostic multi-user, mult-bot roleplaying chat system. A vulnerability in versions prior to 1.0.330 permits attackers to upload image files at attacker-chosen location on the server. This issue can lead to image file uploads to unauthorized or unintended directories, including overwriting of existing images which may be used for defacement. This does not affect `agnai.chat`, installations using S3-compatible storage, or self-hosting that is not publicly exposed. Version 1.0.330 fixes this vulnerability.

Key dates

02Disclosure timeline

September 26, 2024 CVE published
September 26, 2024 Record updated