CVE-2024-47170

low-risk

Published 2024-09-26

Agnai is an artificial-intelligence-agnostic multi-user, mult-bot roleplaying chat system. A vulnerability in versions prior to 1.0.330 permits attackers to read arbitrary JSON files at attacker-chosen locations on the server. This issue can lead to unauthorized access to sensitive information and exposure of confidential configuration files. This only affects installations with `JSON_STORAGE` enabled which is intended to local/self-hosting only. Version 1.0.330 fixes this issue.

Do I need to act?

0.77% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.3/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Agnai

Affected Vendors

Agnai

References (1)

Vendor Advisory https://github.com/agnaistic/agnai/security/advisories/GHSA-h355-hm5h-cm8h

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 3/34 · Minimal

Exposure 5/34 · Minimal