CVE-2024-10833

Name of the Vulnerable Software and Affected Versions eosphoros-ai/db-gpt version 0.6.0

Description The issue arises from an arbitrary file write vulnerability through the knowledge API, specifically due to the susceptibility of the file upload endpoint to absolute path traversal. This allows attackers to write files to arbitrary locations on the target server. The doc file.filename parameter is user-controllable, which enables the construction of absolute paths, leading to this vulnerability.

Recommendations For eosphoros-ai/db-gpt version 0.6.0, consider restricting access to the knowledge API endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the doc file.filename parameter in the affected API endpoint until the issue is resolved.