CVE-2024-10901 — DB-GPT Arbitrary File Write vulnerability

Description

In eosphoros-ai/db-gpt version v0.6.3 and earlier, the web API `POST /api/v1/editor/chart/run` allows execution of arbitrary SQL queries without any access control. This vulnerability can be exploited by attackers to perform Arbitrary File Write, enabling them to write arbitrary files to the victim's file system. This can potentially lead to Remote Code Execution (RCE) by writing malicious files such as `__init__.py` in the Python's `/site-packages/` directory.

How to fix CVE-2024-10901

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2024-10901 being exploited?

Low — EPSS is 1.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 0.6.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.1	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-10901
PATCHgithub.com/eosphoros-ai/DB-GPT
WEBgithub.com/eosphoros-ai/DB-GPT/commit/295cdb8723663d5b0954d5d1dfb4f02b7223b8ff
WEBgithub.com/eosphoros-ai/DB-GPT/pull/2269