frdel Agent-Zero Path Traversal Vulnerability in Image Retrieval API
Vulnerability
A path traversal vulnerability has been identified in frdel Agent-Zero versions prior to 0.8.4. The issue arises in the image_get function within the file /python/api/image_get.py. The vulnerability allows for arbitrary file read by manipulating the path parameter, which the application fails to properly validate, enabling access to files outside of the intended directory.
Impact
Exploitation of this vulnerability allows for arbitrary file read, potentially leading to the disclosure of sensitive information.
Reproduction
To reproduce this vulnerability, send a GET request to the '/image_get' endpoint with a 'path' parameter that includes traversal sequences, such as '../', to access files outside the intended directory. The response will include the contents of the requested file, demonstrating the successful exploitation of the path traversal vulnerability.
Remediation
Users are advised to upgrade to frdel Agent-Zero version 0.8.4.1, which addresses this vulnerability. The updated version is available for download from the GitHub releases page.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.