CVE-2024-10902

Name of the Vulnerable Software and Affected Versions eosphoros-ai/db-gpt version v0.6.0

Description The issue concerns Arbitrary File Upload with Path Traversal in the web API POST /v1/personal/agent/upload. This allows unauthorized attackers to upload arbitrary files to the victim's file system at any location, potentially leading to remote code execution (RCE) by writing malicious files, such as a malicious init .py in Python's /site-packages/ directory.

Recommendations For eosphoros-ai/db-gpt version v0.6.0, consider disabling the POST /v1/personal/agent/upload API endpoint until a patch is available to prevent exploitation. Restrict access to sensitive directories in the file system to minimize the risk of malicious file uploads. At the moment, there is no information about a newer version that contains a fix for this vulnerability.