Submeter #784463: griptape v0.19.4 Absolute Path Traversalinformação

Títulogriptape v0.19.4 Absolute Path Traversal
DescriçãoThe `FileManagerTool` (backed by `LocalFileManagerDriver`) in Griptape provides capabilities to list, read, and write files. However, it fails to properly sanitize file paths provided by the LLM. It directly concatenates the llm-supplied path with the working directory. This allows for a path traversal vulnerability. An attacker can use prompt injection to coerce the LLM into providing paths containing `../` sequences. This enables the agent to: 1. **Read arbitrary files** (e.g., `/etc/passwd`) via `load_files_from_disk`. 2. **List arbitrary directories** via `list_files_from_disk`. 3. **Write to arbitrary files** via `save_content_to_file` or `save_memory_artifacts_to_disk`.
Fonte⚠️ https://github.com/Ka7arotto/cve/blob/main/griptape/issue_fileManagerTool/issue.md
Utilizador
 Goku (UID 80486)
Submissão21/03/2026 02h57 (há 17 dias)
Moderação05/04/2026 07h17 (15 days later)
EstadoAceite
Entrada VulDB355389 [griptape-ai griptape 0.19.4 FileManagerTool Travessia de Diretório]
Pontos20

VoltarVisão GeralPróximo

Do you want to use VulDB in your project?

Use the official API to access entries easily!