CVE-2024-8501

Name of the Vulnerable Software and Affected Versions modelscope/agentscope version v0.0.4

Description An arbitrary file download issue exists in the rpc agent client component, allowing any user to download files from the rpc agent's host by exploiting the download file method. This can lead to unauthorized access to sensitive information, including configuration files, credentials, and potentially system files, which may facilitate further exploitation such as privilege escalation or lateral movement within the network.

Recommendations For modelscope/agentscope version v0.0.4, consider disabling the download file method in the rpc agent client component until a patch is available to prevent unauthorized file downloads. Restrict access to sensitive files and directories to minimize the risk of exploitation.