Home > Vulnerability Database > CVE-2024-10833

Mend.io Vulnerability Database

CVE-2024-10833

Good to know:

Date: March 20, 2025

eosphoros-ai/db-gpt version 0.6.0 is vulnerable to an arbitrary file write through the knowledge API. The endpoint for uploading files as 'knowledge' is susceptible to absolute path traversal, allowing attackers to write files to arbitrary locations on the target server. This vulnerability arises because the 'doc_file.filename' parameter is user-controllable, enabling the construction of absolute paths.

Severity Score

9.1

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-10833

Url: https://huntr.com/bounties/dc58e981-e325-4c11-b4e1-1095890fd15a

Url: https://github.com/eosphoros-ai/DB-GPT/commit/780ce803e325b87f4ddfbe5824451e379aeee56c

Url: https://github.com/eosphoros-ai/DB-GPT

Url: https://www.mend.io/vulnerability-database/CVE-2024-10833

Severity Score

9.1

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Absolute Path Traversal

CWE-36

Top Fix

Upgrade Version

Upgrade to version dbgpt - 0.6.2;dbgpt - 0.6.2;https://github.com/eosphoros-ai/DB-GPT.git - v0.6.2

Learn More

CVSS v3.1

Base Score:	9.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-10833

Good to know:

Date: March 20, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?