CVE-2024-10902 — DB-GPT vulnerable to Arbitrary File Upload with Path Traversal

Description

In eosphoros-ai/db-gpt version v0.6.0, the web API `POST /v1/personal/agent/upload` is vulnerable to Arbitrary File Upload with Path Traversal. This vulnerability allows unauthorized attackers to upload arbitrary files to the victim's file system at any location. The impact of this vulnerability includes the potential for remote code execution (RCE) by writing malicious files, such as a malicious `__init__.py` in the Python's `/site-packages/` directory.

How to fix CVE-2024-10902

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2024-10902 being exploited?

Low — EPSS is 1.8%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 0.6.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.1	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-10902
PATCHgithub.com/eosphoros-ai/DB-GPT
WEBhuntr.com/bounties/f7fbf76e-aa1c-4106-b007-e9579f4f7d5f