漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
NanoClaw < 2.1.17 - Arbitrary File Read via Symlink Following in forwardAttachedFiles
Vulnerability Description
NanoClaw before 2.1.17 contains a symlink following vulnerability in forwardAttachedFiles that allows container-controlled agents to exfiltrate host-readable files. The host validates attachment filenames using only isSafeAttachmentName before copying with fs.copyFileSync, which follows symlinks without containment checks, allowing malicious agents to disclose arbitrary host files.
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
在文件访问前对链接解析不恰当(链接跟随)
Vulnerability Title
NanoCo NanoClaw 后置链接漏洞
Vulnerability Description
NanoCo NanoClaw是NanoCo组织的一个轻量级个人AI代理平台。 NanoCo NanoClaw 2.1.17之前版本存在后置链接漏洞,该漏洞源于forwardAttachedFiles中存在符号链接跟随问题,主机仅使用isSafeAttachmentName验证附件文件名,然后通过fs.copyFileSync进行复制,该操作会跟随符号链接而缺乏包含检查,可能导致受容器控制的代理泄露主机可读文件。
CVSS Information
N/A
Vulnerability Type
N/A