| タイトル | zhayujie chatgpt-on-wechat (CowAgent) 2.0.4 Path Traversal Leading to Arbitrary File Read |
|---|
| 説明 | The /api/memory/content endpoint in the chatgpt-on-wechat Web Console accepts a filename parameter that is passed directly to the filesystem read operation without any path validation or sanitization. By using directory traversal sequences (../), an unauthenticated attacker can read any file on the server that is accessible to the application process. This includes system files (/etc/passwd, /etc/hosts), application configuration files containing full API keys, SSH keys, and any other sensitive data. |
|---|
| ソース | ⚠️ https://github.com/zhayujie/chatgpt-on-wechat/issues/2734 |
|---|
| ユーザー | Yu_Bao (UID 89348) |
|---|
| 送信 | 2026年03月31日 12:37 (10 日 ago) |
|---|
| モデレーション | 2026年04月09日 14:57 (9 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 356552 [zhayujie chatgpt-on-wechat CowAgent 迄 2.0.4 API Memory Content Endpoint agent/memory/service.py dispatch filename ディレクトリトラバーサル] |
|---|
| ポイント | 20 |
|---|