| Title | composiohq composio <=v0.5.8(latest) arbitrary file read |
|---|
| Description | Without checking the path in this directory, information on this machine can be read. If the user starts the Composio Server service with root permissions, it may be possible to read sensitive files such as /root/.ssh/id_rsa, which are used for SSH key-based authentication, potentially allowing keyless login to the server.
The vulnerability lies in the composio\server\api.py file where there is no restriction placed on the path() function. |
|---|
| Source | ⚠️ https://rumbling-slice-eb0.notion.site/There-is-an-arbitrary-file-read-vulnerability-at-api-download-in-composiohq-composio-f0ec1ec26a5f434a97bb1ffde435a35b?pvs=4 |
|---|
| User | aftersnow (UID 71336) |
|---|
| Submission | 09/05/2024 14:33 (2 years ago) |
|---|
| Moderation | 09/14/2024 07:56 (9 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 277502 [composiohq composio up to 0.5.8 composio\server\api.py path File path traversal] |
|---|
| Points | 17 |
|---|