Plattform
python
Komponente
dbgpt
Behoben in
0.6.1
CVE-2024-10830 describes a Path Traversal vulnerability discovered in the eosphoros-ai/db-gpt project, specifically impacting versions up to 0.6.0. This flaw allows unauthorized deletion of files on the server. The vulnerability stems from insufficient sanitization of the file_key parameter within the /v1/resource/file/delete API endpoint, enabling attackers to specify arbitrary file paths. A patch is expected to address this issue.
The impact of this vulnerability is significant, as it grants an attacker the ability to delete arbitrary files on the server hosting the db-gpt application. This could lead to data loss, disruption of service, and potentially even complete compromise of the system. An attacker could delete critical configuration files, application code, or sensitive data stored on the server. The blast radius extends to any data accessible by the db-gpt application, and the ease of exploitation makes it a high-priority concern. While no direct precedent is immediately obvious, the potential for widespread data deletion mirrors the impact of other path traversal vulnerabilities where attackers gain unauthorized file system access.
CVE-2024-10830 was publicly disclosed on 2025-03-20. Its severity is rated HIGH (CVSS 8.2). There are currently no known public proof-of-concept exploits available, but the vulnerability's simplicity suggests that one may be developed quickly. It is not currently listed on the CISA KEV catalog. Active exploitation is not confirmed at this time.
Organizations deploying db-gpt in production environments, particularly those handling sensitive data or integrating with other critical systems, are at risk. Shared hosting environments where db-gpt instances share resources are also vulnerable, as an attacker could potentially exploit this vulnerability to impact other tenants.
• python / server:
# Monitor for requests to /v1/resource/file/delete with suspicious file_key parameters
# Example: grep '..' /var/log/nginx/access.log | grep '/v1/resource/file/delete'• generic web:
# Check for the existence of the endpoint
curl -I https://your-dbgpt-instance/v1/resource/file/deletedisclosure
Exploit-Status
EPSS
0.22% (45% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-10830 is to upgrade to a patched version of eosphoros-ai/db-gpt. The vendor has not released a specific fixed version as of this writing, so monitor their repository for updates. As a temporary workaround, implement strict input validation on the filekey parameter, ensuring it only accepts expected values. Consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious characters or patterns in the filekey parameter. Regularly review file system permissions to limit the application's access to only necessary files.
Actualice a una versión posterior a 0.6.0 o implemente una validación robusta de la entrada `file_key` para evitar el recorrido de directorios. Asegúrese de que los nombres de archivo proporcionados por el usuario se validen con una lista blanca o se limpien adecuadamente antes de usarlos para acceder a los archivos. Considere restringir el acceso a la función de eliminación de archivos solo a usuarios autorizados.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-10830 is a Path Traversal vulnerability in dbgpt versions up to 0.6.0, allowing attackers to delete files on the server by manipulating the file_key parameter in the /v1/resource/file/delete endpoint.
You are affected if you are using dbgpt version 0.6.0 or earlier. Assess your deployment to determine if this version is in use.
Upgrade to a patched version of dbgpt that addresses this vulnerability. Until a patch is available, implement workarounds like restricting access and validating input.
There are currently no reports of active exploitation, but the vulnerability's ease of exploitation makes it a potential target.
Check the eosphoros-ai project's repository and associated communication channels for updates and advisories related to CVE-2024-10830.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.