Goku

Name of the Vulnerable Software and Affected Versions griptape versões 0.19.4 Description Uma falha existe no griptape-ai griptape versão 0.19.4 dentro do componente SqlTool, especificamente no arquivo `griptape/tools/sql/tool.py`. A manipulação de uma funcionalidade desconhecida pode levar à injeção de SQL. Esta questão é explorável remotamente. O exploit está publicamente disponível. Recommendations Atualize para uma versão mais recente que contenha uma correção para esta vulnerabilidade.

Name of the Vulnerable Software and Affected Versions griptape versões 0.19.4 Description Existe uma falha de segurança no componente FileManagerTool do griptape. As funções `load files from disk`, `list files from disk`, `save content to file` e `save memory artifacts to disk` são suscetíveis a travessia de caminho. Essa manipulação pode ser realizada remotamente. A exploração foi divulgada publicamente. Recommendations Atualize para uma versão mais recente que contenha uma correção para esta vulnerabilidade.

**Name of the Vulnerable Software and Affected Versions** wbbeyourself MAC-SQL up to 31a9df5e0d520be4769be57a4b9022e5e34a14f4 **Description** Uma falha existe no wbbeyourself MAC-SQL, especificamente dentro do componente Refiner Agent. A função ` execute sql` no arquivo `core/agents.py` é suscetível a injeção de SQL. A exploração remota é possível. O exploit está publicamente disponível. **Recommendations** Atualmente, não há informações sobre uma versão mais recente que contenha uma correção para esta vulnerabilidade.

Name of the Vulnerable Software and Affected Versions premAI-io premsql versões até 0.2.1 Description Uma fraqueza existe na função `eval` dentro do arquivo `premsql/agents/baseline/workers/followup.py` do premAI-io premsql. A manipulação do argumento `result` pode levar à injeção de código, potencialmente permitindo ataques remotos. O exploit foi divulgado publicamente. Recommendations Atualize o premsql para uma versão posterior a 0.2.1.

Name of the Vulnerable Software and Affected Versions zongyu09 openchatbi versões até 0.2.1 Description Uma falha existe no componente Multi-stage Text2SQL Workflow do zhongyu09 openchatbi. A manipulação do argumento `keywords` pode resultar em injeção de SQL. Esta questão pode ser explorada remotamente. A vulnerabilidade foi divulgada publicamente. Recommendations Versões anteriores a 0.2.1 devem ser atualizadas.

Name of the Vulnerable Software and Affected Versions griptape versões 0.19.4 Description Uma falha existe no griptape-ai griptape versão 0.19.4 dentro do componente ComputerTool, especificamente no arquivo `griptapetoolscomputertool.py`. A manipulação do argumento `filename` pode levar a uma travessia de caminho, permitindo potencialmente ataques remotos. O exploit foi publicado. Recommendations Atualize para uma versão mais recente que contenha uma correção para esta vulnerabilidade. Como medida temporária, restrinja o acesso ao argumento `filename` no componente ComputerTool.

**Name of the Vulnerable Software and Affected Versions** Foundation Agents MetaGPT versions prior to 0.8.1 **Description** A vulnerability exists in Foundation Agents MetaGPT up to version 0.8.1. The issue is related to injection within the DataInterpreter component, specifically in the file `metagpt/actions/di/write analysis code.py`. This allows for remote exploitation. The exploit has been publicly released, and the vendor was notified but did not respond. **Recommendations** Update Foundation Agents MetaGPT to a version newer than 0.8.1.

**Name of the Vulnerable Software and Affected Versions** vanna-ai vanna versions up to 2.0.2 **Description** A security issue exists in vanna-ai vanna. The `exec` function within the `/src/vanna/legacy` file is susceptible to injection. This manipulation can be carried out remotely. The exploit for this issue has been publicly disclosed. **Recommendations** Versions prior to 2.0.2 should be updated. As a temporary workaround, consider restricting access to the `/src/vanna/legacy` file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** vanna-ai vanna versions up to 2.0.2 **Description** A SQL injection issue exists in vanna-ai vanna up to version 2.0.2. The issue is located in the `ask` function within the `vannalegacybasebase.py` file. A manipulation of input can lead to SQL injection, and the attack can be carried out remotely. The exploit is publicly available. The vendor was contacted but did not respond. **Recommendations** Versions prior to 2.0.2 should be updated.

**Name of the Vulnerable Software and Affected Versions** Foundation Agents MetaGPT versions up to 0.8.1 **Description** A code injection issue exists in the `code generate` function within the `metagpt/ext/aflow/scripts/operator.py` file. This allows for remote initiation of attacks. The exploit details have been publicly disclosed. The vendor was notified but did not respond. **Recommendations** Versions prior to 0.8.1 should be used. As a temporary workaround, consider restricting access to the `metagpt/ext/aflow/scripts/operator.py` file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** apconw Aix-DB versions up to 1.2.3 **Description** A security flaw exists in apconw Aix-DB, specifically within the file `agent/text2sql/rag/terminology retriever.py`. Manipulation of the `Description` argument can lead to SQL injection. The attack requires local access. The exploit has been publicly released. The vendor was contacted but did not respond. **Recommendations** Versions prior to 1.2.3 should be updated. As a temporary workaround, consider restricting access to the `terminology retriever.py` file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** bagofwords1 versions prior to 0.0.298 **Description** A flaw exists in the `generate df` function within the `backend/app/ai/code execution/code execution.py` file. This allows for injection attacks that can be launched remotely. The exploit is publicly available. **Recommendations** Upgrade to version 0.0.298 or later.

**Name of the Vulnerable Software and Affected Versions** Mindinventory MindSQL versions up to 0.2.1 **Description** A flaw exists in Mindinventory MindSQL that could allow for SQL injection. The issue is located in the `ask db` function within the `mindsql/core/mindsql core.py` file. This issue can be exploited remotely. The exploit has been publicly disclosed. The vendor was contacted but did not respond. **Recommendations** Versions prior to 0.2.1 should be updated. As a temporary workaround, consider restricting access to the `ask db` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Mindinventory MindSQL versions up to 0.2.1 **Description** A code injection issue exists in Mindinventory MindSQL. The `ask db` function within the `mindsql/core/mindsql core.py` file is susceptible to manipulation, leading to code injection. This issue can be exploited remotely. The details of the exploit have been publicly disclosed. The vendor was notified but did not respond. **Recommendations** Versions prior to 0.2.1 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** eosphoros-ai DB-GPT versions up to 0.7.5 **Description** A flaw exists in eosphoros-ai DB-GPT that allows for unrestricted file uploads. This issue is related to the `module plugin.refresh plugins` function within the file `packages/dbgpt-serve/src/dbgpt serve/agent/hub/controller.py` of the FastAPI Endpoint component. The attack can be launched remotely. The exploit details have been publicly disclosed. The vendor was notified but did not respond. **Recommendations** Versions up to 0.7.5 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** eosphoros-ai db-gpt versions up to 0.7.5 **Description** A flaw exists in eosphoros-ai db-gpt up to version 0.7.5. The issue resides in unknown code within the `/api/v1/editor/` file of the Incomplete Fix component and allows for SQL injection. This manipulation can be initiated remotely. The exploit has been published. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.