Superagi
CVE-2023-48055
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
SuperAGI v0.0.13 was discovered to use a hardcoded key for encryption operations. This vulnerability can lead to the disclosure of information and communications.
AnalysisAI
SuperAGI v0.0.13 was discovered to use a hardcoded key for encryption operations. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Use of Hard-coded Credentials (CWE-798), which allows attackers to gain access using credentials embedded in source code. SuperAGI v0.0.13 was discovered to use a hardcoded key for encryption operations. This vulnerability can lead to the disclosure of information and communications. Affected products include: Superagi.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Remove hard-coded credentials, use environment variables or secrets management, rotate exposed credentials immediately.
A Path Traversal vulnerability exists in the file upload functionality of transformeroptimus/superagi version 0.0.14. Ra
An IDOR (Insecure Direct Object Reference) vulnerability exists in transformeroptimus/superagi version v0.0.14. Rated hi
An information disclosure vulnerability exists in the latest version of transformeroptimus/superagi. Rated high severity
An information disclosure vulnerability exists in the latest version of transformeroptimus/superagi. Rated medium severi
In version 0.0.14 of transformeroptimus/superagi, the API endpoint `/api/users/get/{id}` returns the user's password in
Remote unauthenticated access to vector database configurations in TransformerOptimus SuperAGI ≤0.0.14 allows attackers
Path traversal in TransformerOptimus SuperAGI versions up to 0.0.14 allows remote unauthenticated attackers to read, wri
TransformerOptimus SuperAGI up to version 0.0.14 allows authenticated remote attackers to bypass authorization controls
Server-side request forgery (SSRF) in TransformerOptimus SuperAGI up to version 0.0.14 allows authenticated remote attac
Authorization bypass in TransformerOptimus SuperAGI up to version 0.0.14 allows authenticated remote attackers to access
Authorization bypass in TransformerOptimus SuperAGI up to version 0.0.14 allows authenticated attackers to manipulate th
Authorization bypass in TransformerOptimus SuperAGI up to version 0.0.14 allows authenticated users to modify arbitrary
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today