CVE-2024-10835

Name of the Vulnerable Software and Affected Versions eosphoros-ai/db-gpt version v0.6.0

Description The issue allows execution of arbitrary SQL queries without access control through the web API endpoint POST /api/v1/editor/sql/run. This can be exploited to perform Arbitrary File Write using DuckDB SQL, enabling attackers to write arbitrary files to the victim's file system, potentially leading to Remote Code Execution (RCE).

Recommendations For eosphoros-ai/db-gpt version v0.6.0, consider disabling access to the POST /api/v1/editor/sql/run API endpoint until a patch is available to prevent exploitation. Restricting access to this endpoint can minimize the risk of arbitrary SQL query execution and subsequent file system manipulation.