A flaw has been found in zhayujie chatgpt-on-wechat CowAgent up to 2.0.4. This affects the function dispatch of the file agent/memory/service.py of the component API Memory Content Endpoint. This manipulation of the argument filename causes path traversal.
The attack can be initiated remotely. The exploit has been published and may be used. Upgrading to version 2.0.5 mitigates this issue.
Patch name: 174ee0cafc9e8e9d97a23c305418251485b8aa89. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
Low
Partial data leak
Integrity
None
No data modification
Availability
None
No disruption
CVSS Vector v4.0
Weakness Type (CWE)
References 7
https://github.com/zhayujie/chatgpt-on-wechat/commit/174ee0cafc9e8e9d97a23c3054…
cna@vuldb.com
https://github.com/zhayujie/chatgpt-on-wechat/issues/2734
cna@vuldb.com
https://github.com/zhayujie/chatgpt-on-wechat/issues/2734#issue-4178013778
cna@vuldb.com
https://github.com/zhayujie/chatgpt-on-wechat/releases/tag/2.0.5
cna@vuldb.com
https://vuldb.com/submit/793558
cna@vuldb.com
https://vuldb.com/vuln/356552
cna@vuldb.com
https://vuldb.com/vuln/356552/cti
cna@vuldb.com