Goku

Name of the Vulnerable Software and Affected Versions griptape versions 0.19.4 Description A flaw exists in griptape-ai griptape version 0.19.4 within the SqlTool component, specifically in the file `griptape/tools/sql/tool.py`. Manipulation of an unknown functionality can lead to SQL injection. This issue is remotely exploitable. The exploit is publicly available. Recommendations Update to a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions griptape versions 0.19.4 Description A security issue exists in the FileManagerTool component of griptape. The functions `load files from disk`, `list files from disk`, `save content to file`, and `save memory artifacts to disk` are susceptible to path traversal. This manipulation can be performed remotely. The exploit has been publicly disclosed. Recommendations Update to a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** wbbeyourself MAC-SQL up to 31a9df5e0d520be4769be57a4b9022e5e34a14f4 **Description** A flaw exists in wbbeyourself MAC-SQL, specifically within the Refiner Agent component. The ` execute sql` function in the `core/agents.py` file is susceptible to SQL injection. Remote exploitation is possible. The exploit is publicly available. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions premAI-io premsql versions up to 0.2.1 Description A weakness exists in the `eval` function within the `premsql/agents/baseline/workers/followup.py` file of premAI-io premsql. Manipulation of the `result` argument can lead to code injection, potentially allowing for remote attacks. The exploit has been publicly released. Recommendations Update premsql to a version later than 0.2.1.

Name of the Vulnerable Software and Affected Versions zongyu09 openchatbi versions up to 0.2.1 Description A flaw exists in the Multi-stage Text2SQL Workflow component of zhongyu09 openchatbi. Manipulation of the `keywords` argument can result in SQL injection. This issue can be exploited remotely. The vulnerability has been publicly disclosed. Recommendations Versions prior to 0.2.1 should be updated.

Name of the Vulnerable Software and Affected Versions griptape versions 0.19.4 Description A flaw exists in griptape-ai griptape version 0.19.4 within the ComputerTool component, specifically in the file `griptapetoolscomputertool.py`. Manipulation of the `filename` argument can lead to a path traversal, potentially allowing remote attacks. The exploit has been published. Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the `filename` argument in the ComputerTool component.

**Name of the Vulnerable Software and Affected Versions** Foundation Agents MetaGPT versions prior to 0.8.1 **Description** A vulnerability exists in Foundation Agents MetaGPT up to version 0.8.1. The issue is related to injection within the DataInterpreter component, specifically in the file `metagpt/actions/di/write analysis code.py`. This allows for remote exploitation. The exploit has been publicly released, and the vendor was notified but did not respond. **Recommendations** Update Foundation Agents MetaGPT to a version newer than 0.8.1.

**Name of the Vulnerable Software and Affected Versions** vanna-ai vanna versions up to 2.0.2 **Description** A security issue exists in vanna-ai vanna. The `exec` function within the `/src/vanna/legacy` file is susceptible to injection. This manipulation can be carried out remotely. The exploit for this issue has been publicly disclosed. **Recommendations** Versions prior to 2.0.2 should be updated. As a temporary workaround, consider restricting access to the `/src/vanna/legacy` file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** vanna-ai vanna versions up to 2.0.2 **Description** A SQL injection issue exists in vanna-ai vanna up to version 2.0.2. The issue is located in the `ask` function within the `vannalegacybasebase.py` file. A manipulation of input can lead to SQL injection, and the attack can be carried out remotely. The exploit is publicly available. The vendor was contacted but did not respond. **Recommendations** Versions prior to 2.0.2 should be updated.

**Name of the Vulnerable Software and Affected Versions** Foundation Agents MetaGPT versions up to 0.8.1 **Description** A code injection issue exists in the `code generate` function within the `metagpt/ext/aflow/scripts/operator.py` file. This allows for remote initiation of attacks. The exploit details have been publicly disclosed. The vendor was notified but did not respond. **Recommendations** Versions prior to 0.8.1 should be used. As a temporary workaround, consider restricting access to the `metagpt/ext/aflow/scripts/operator.py` file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** apconw Aix-DB versions up to 1.2.3 **Description** A security flaw exists in apconw Aix-DB, specifically within the file `agent/text2sql/rag/terminology retriever.py`. Manipulation of the `Description` argument can lead to SQL injection. The attack requires local access. The exploit has been publicly released. The vendor was contacted but did not respond. **Recommendations** Versions prior to 1.2.3 should be updated. As a temporary workaround, consider restricting access to the `terminology retriever.py` file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** bagofwords1 versions prior to 0.0.298 **Description** A flaw exists in the `generate df` function within the `backend/app/ai/code execution/code execution.py` file. This allows for injection attacks that can be launched remotely. The exploit is publicly available. **Recommendations** Upgrade to version 0.0.298 or later.

**Name of the Vulnerable Software and Affected Versions** Mindinventory MindSQL versions up to 0.2.1 **Description** A flaw exists in Mindinventory MindSQL that could allow for SQL injection. The issue is located in the `ask db` function within the `mindsql/core/mindsql core.py` file. This issue can be exploited remotely. The exploit has been publicly disclosed. The vendor was contacted but did not respond. **Recommendations** Versions prior to 0.2.1 should be updated. As a temporary workaround, consider restricting access to the `ask db` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Mindinventory MindSQL versions up to 0.2.1 **Description** A code injection issue exists in Mindinventory MindSQL. The `ask db` function within the `mindsql/core/mindsql core.py` file is susceptible to manipulation, leading to code injection. This issue can be exploited remotely. The details of the exploit have been publicly disclosed. The vendor was notified but did not respond. **Recommendations** Versions prior to 0.2.1 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** eosphoros-ai DB-GPT versions up to 0.7.5 **Description** A flaw exists in eosphoros-ai DB-GPT that allows for unrestricted file uploads. This issue is related to the `module plugin.refresh plugins` function within the file `packages/dbgpt-serve/src/dbgpt serve/agent/hub/controller.py` of the FastAPI Endpoint component. The attack can be launched remotely. The exploit details have been publicly disclosed. The vendor was notified but did not respond. **Recommendations** Versions up to 0.7.5 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** eosphoros-ai db-gpt versions up to 0.7.5 **Description** A flaw exists in eosphoros-ai db-gpt up to version 0.7.5. The issue resides in unknown code within the `/api/v1/editor/` file of the Incomplete Fix component and allows for SQL injection. This manipulation can be initiated remotely. The exploit has been published. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.