CVE-2024-10830

Name of the Vulnerable Software and Affected Versions eosphoros-ai/db-gpt version 0.6.0

Description A Path Traversal issue exists, allowing an attacker to delete any file on the server by manipulating the file key parameter at the API endpoint "/v1/resource/file/delete". The file key parameter is not properly sanitized, enabling an attacker to specify arbitrary file paths. If the specified file exists, the application will delete it.

Recommendations For version 0.6.0, as a temporary workaround, consider restricting access to the "/v1/resource/file/delete" API endpoint until a patch is available. Additionally, avoid using the file key parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.