GHSA-8pwp-phcg-h36g

Опубликовано: 20 мар. 2025

Источник: github

Github: Прошло ревью

CVSS3: 8.2

Описание

DB-GPT Path Traversal vulnerability

A Path Traversal vulnerability exists in the eosphoros-ai/db-gpt version 0.6.0 at the API endpoint /v1/resource/file/delete. This vulnerability allows an attacker to delete any file on the server by manipulating the file_key parameter. The file_key parameter is not properly sanitized, enabling an attacker to specify arbitrary file paths. If the specified file exists, the application will delete it.

Ссылки

Пакеты

Наименование

dbgpt

pip

Затронутые версииВерсия исправления

<= 0.6.0

Отсутствует

EPSS

Процентиль: 45%

0.00224

Низкий

8.2 High

CVSS3

CVE ID

CVE-2024-10830

Дефекты

CWE-22

Связанные уязвимости

CVE-2024-10830

CVSS3: 8.2

nvd

11 месяцев назад

A Path Traversal vulnerability exists in the eosphoros-ai/db-gpt version 0.6.0 at the API endpoint `/v1/resource/file/delete`. This vulnerability allows an attacker to delete any file on the server by manipulating the `file_key` parameter. The `file_key` parameter is not properly sanitized, enabling an attacker to specify arbitrary file paths. If the specified file exists, the application will delete it.

EPSS

Процентиль: 45%

0.00224

Низкий

8.2 High

CVSS3

CVE ID

CVE-2024-10830

Дефекты

CWE-22