OpenClaw: Write-scoped callers could reach admin-only session reset logic through `agent`

Summary In affected versions of openclaw, a gateway caller with operator.write could issue agent requests containing /new or /reset and reach the same reset path used by the admin-only sessions.reset RPC. Impact On gateways where a caller is intentionally granted operator.write but not...

agent-path (>=0.1.0 <=0.1.2), agentc-llamaindex (=0.2.5a2) +837 more potentially affected by CVE-2024-12704 via llama-index-core (>=0.10.0 <=0.12.52.post1)

llama-index-core PYPI version =0.10.0, =0.1.0, =0.0.2, =0.1.0a0.dev0, =0.2.0a0, =0.0.6, =1.1.0, =3.0.0, =1.0.5, =1.7.0, =0.1.0, =1.0.0, =1.1.6 - botrun-llama-kb =5.8.22 and more Source cves: CVE-2024-12704 Source advisory: OSV:GHSA-J3WR-M6XH-64HG...