Platform
python
Component
dbgpt
Fixed in
0.6.1
CVE-2024-10830 describes a Path Traversal vulnerability discovered in the eosphoros-ai/db-gpt project, specifically impacting versions up to 0.6.0. This flaw allows unauthorized deletion of files on the server. The vulnerability stems from insufficient sanitization of the file_key parameter within the /v1/resource/file/delete API endpoint, enabling attackers to specify arbitrary file paths. A patch is expected to address this issue.
The impact of this vulnerability is significant, as a successful attacker can delete any file accessible to the db-gpt process. This includes critical configuration files, database backups, or even application code, potentially leading to complete system compromise or denial of service. An attacker could leverage this to gain persistent access or disrupt operations. The ability to delete arbitrary files represents a severe security risk, particularly in environments where db-gpt handles sensitive data or interacts with other critical systems. While no immediate exploitation reports are public, the ease of exploitation makes it a high-priority concern.
CVE-2024-10830 was published on 2025-03-20. There is currently no indication of active exploitation or listing on KEV. The EPSS score is likely to be assessed as medium due to the ease of exploitation and potential impact. Public proof-of-concept code is not yet available, but the vulnerability's nature suggests it could be easily exploited.
Exploit Status
EPSS
0.22% (45% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to a patched version of db-gpt that addresses this vulnerability. Since a fixed version is not yet specified, consider implementing temporary workarounds. Restrict access to the /v1/resource/file/delete endpoint to authorized users only, using authentication and authorization mechanisms. Implement strict input validation on the file_key parameter, ensuring it only accepts expected values and does not contain path traversal characters (e.g., ..). Consider using a Web Application Firewall (WAF) to filter requests containing suspicious file paths. After upgrading, verify the fix by attempting to access and delete a non-existent file via the /v1/resource/file/delete endpoint; the request should be rejected.
Actualice a una versión posterior a 0.6.0 o implemente una validación robusta de la entrada `file_key` para evitar el recorrido de directorios. Asegúrese de que los nombres de archivo proporcionados por el usuario se validen con una lista blanca o se limpien adecuadamente antes de usarlos para acceder a los archivos. Considere restringir el acceso a la función de eliminación de archivos solo a usuarios autorizados.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-10830 is a Path Traversal vulnerability in dbgpt versions up to 0.6.0, allowing attackers to delete files on the server by manipulating the file_key parameter in the /v1/resource/file/delete endpoint.
You are affected if you are using dbgpt version 0.6.0 or earlier. Assess your deployment to determine if this version is in use.
Upgrade to a patched version of dbgpt that addresses this vulnerability. Until a patch is available, implement workarounds like restricting access and validating input.
There are currently no reports of active exploitation, but the vulnerability's ease of exploitation makes it a potential target.
Check the eosphoros-ai project's repository and associated communication channels for updates and advisories related to CVE-2024-10830.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.