
We found results for “”
CVE-2024-10902
Date: March 20, 2025
In eosphoros-ai/db-gpt version v0.6.0, the web API "POST /v1/personal/agent/upload" is vulnerable to Arbitrary File Upload with Path Traversal. This vulnerability allows unauthorized attackers to upload arbitrary files to the victim's file system at any location. The impact of this vulnerability includes the potential for remote code execution (RCE) by writing malicious files, such as a malicious "__init__.py" in the Python's "/site-packages/" directory.
Severity Score
Severity Score
Weakness Type (CWE)
External Control of File Name or Path
CWE-73CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | LOW |
Privileges Required (PR): | NONE |
User Interaction (UI): | NONE |
Scope (S): | UNCHANGED |
Confidentiality (C): | NONE |
Integrity (I): | HIGH |
Availability (A): | HIGH |