CVE-2024-9447
📋 TL;DR
An information disclosure vulnerability in transformeroptimus/superagi allows authenticated users to access sensitive configuration details of any organization through the /get/organisation/ endpoint. This exposes API keys and other confidential data, potentially leading to unauthorized service access and data breaches. All organizations using the vulnerable version are affected.
💻 Affected Systems
- transformeroptimus/superagi
📦 What is this software?
Superagi by Superagi
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain API keys and access external services, leading to data exfiltration, financial fraud, and complete compromise of integrated systems.
Likely Case
Malicious insiders or compromised accounts harvest API keys, enabling unauthorized access to third-party services and potential data leaks.
If Mitigated
With proper access controls and monitoring, impact is limited to internal data exposure without external service compromise.
🎯 Exploit Status
Exploitation requires authenticated access but is trivial via API calls to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check latest release or commit fixing CVE-2024-9447
Vendor Advisory: https://huntr.com/bounties/c952ea32-3047-42d3-8a3e-e67899e35dfd
Restart Required: Yes
Instructions:
1. Update to the latest patched version of superagi. 2. Restart the application. 3. Verify the fix by testing endpoint access controls.
🔧 Temporary Workarounds
Endpoint Restriction
allBlock or restrict access to the /get/organisation/ endpoint at the network or application level.
# Example using nginx: location /get/organisation/ { deny all; }
# Example using firewall: iptables -A INPUT -p tcp --dport <app_port> -m string --string "/get/organisation/" --algo bm -j DROP
Enhanced Authentication
allImplement additional authentication checks before processing organization requests.
# Modify application code to verify user organization membership before returning data
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the superagi instance from external services.
- Rotate all exposed API keys and monitor for unauthorized usage.
🔍 How to Verify
Check if Vulnerable:
As an authenticated user, attempt to access /get/organisation/ endpoint with another organization's ID. If successful, the system is vulnerable.Check Version:
Check the superagi version in application configuration or via package manager (e.g., pip show superagi).Verify Fix Applied:
Repeat the vulnerable check; access should be denied or return only authorized organization data.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to /get/organisation/ endpoint
- Requests with mismatched user and organization IDs
Network Indicators:
- HTTP GET requests to /get/organisation/ with different organization parameters
SIEM Query:
source="superagi" AND url="/get/organisation/" AND user_org_mismatch=true