प्लेटफ़ॉर्म
python
घटक
dbgpt
में ठीक किया गया
0.6.1
CVE-2024-10902 is a critical Path Traversal vulnerability affecting versions of eosphoros-ai/db-gpt up to and including v0.6.0. This flaw allows attackers to upload arbitrary files to the server's file system, potentially leading to remote code execution. The vulnerability resides within the POST /v1/personal/agent/upload web API endpoint and requires immediate attention to prevent exploitation.
The primary impact of CVE-2024-10902 is the ability for an attacker to upload arbitrary files to the server. This is a severe risk because it can be leveraged for remote code execution (RCE). Specifically, the description highlights the possibility of writing a malicious init.py file into the Python /site-packages/ directory, which would execute upon import. This could grant the attacker complete control over the affected system. The path traversal aspect means the attacker isn't limited to a specific upload directory; they can choose any location on the file system, significantly expanding the potential damage. Successful exploitation could lead to data breaches, system compromise, and denial of service.
CVE-2024-10902 was publicly disclosed on 2025-03-20. The vulnerability's severity is rated as CRITICAL (CVSS 9.1). There is no indication of it being added to the CISA KEV catalog at this time. The potential for RCE makes this a high-priority vulnerability. Public proof-of-concept (POC) code is currently unknown, but the ease of path traversal exploitation suggests that POCs may emerge quickly.
Organizations deploying eosphoros-ai/db-gpt in production environments, particularly those using it for sensitive data processing or AI-driven applications, are at significant risk. Environments with weak file upload validation or inadequate access controls are especially vulnerable. Shared hosting environments where multiple users share the same server resources are also at increased risk.
• python / server:
Get-ChildItem -Path "C:\\path\\to\\db-gpt\\uploads" -Recurse -Filter "*.py"• generic web:
curl -I -X POST -F "file=@malicious_file.py" http://<target>/v1/personal/agent/upload | grep 'Location:'disclosure
एक्सप्लॉइट स्थिति
EPSS
3.26% (87% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2024-10902 is to upgrade to a patched version of eosphoros-ai/db-gpt. Unfortunately, a fixed version is not specified in the provided data. As a temporary workaround, implement strict file upload validation on the POST /v1/personal/agent/upload endpoint. This should include whitelisting allowed file extensions and rigorously validating the file path to prevent traversal attempts. Consider using a Web Application Firewall (WAF) with rules to block suspicious file uploads and path manipulation attempts. Regularly scan the file system for unexpected or unauthorized files. After applying mitigations, verify the upload endpoint's security by attempting to upload a file with a deliberately malicious path.
db-gpt के पैच किए गए संस्करण में अपग्रेड करें जो मनमाना फ़ाइल अपलोड (Arbitrary File Upload) और पथ पारगमन (Path Traversal) भेद्यता (vulnerability) को ठीक करता है। विशिष्ट अपडेट निर्देशों के लिए संस्करण नोट्स या विक्रेता की वेबसाइट देखें। एक अस्थायी उपाय के रूप में, `/v1/personal/agent/upload` API तक पहुंच को तब तक प्रतिबंधित करें जब तक कि अपडेट लागू न किया जा सके।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2024-10902 is a critical vulnerability in eosphoros-ai/db-gpt versions up to v0.6.0 that allows attackers to upload arbitrary files due to a lack of proper path validation.
You are affected if you are using eosphoros-ai/db-gpt version 0.6.0 or earlier. Immediate action is required to mitigate the risk.
Upgrade to a patched version of db-gpt. As no fixed version is specified, implement strict file upload validation and consider using a WAF as temporary mitigations.
There is currently no confirmed information about active exploitation, but the vulnerability's severity and ease of exploitation suggest it could be targeted soon.
Refer to the eosphoros-ai project's official channels (GitHub repository, website) for updates and advisories related to CVE-2024-10902.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी requirements.txt फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।