CRITICAL🇵🇱 Wersja polska

CVE-2024-10901

CVSS 9.8v3.1pub. 2025-03-20upd. 2025-07-17

In eosphoros-ai/db-gpt version v0.6.0, the web API `POST /api/v1/editor/chart/run` allows execution of arbitrary SQL queries without any access control. This vulnerability can be exploited by attackers to perform Arbitrary File Write, enabling them to write arbitrary files to the victim's file system. This can potentially lead to Remote Code Execution (RCE) by writing malicious files such as `__init__.py` in the Python's `/site-packages/` directory.

🤖 AI Analysis
How it works

An unauthenticated attacker sends an HTTP POST request to the `/api/v1/editor/chart/run` endpoint, passing an arbitrary SQL query that is executed by the server without permission verification. This mechanism (CWE-434 — unrestricted file upload/write) allows writing a file of arbitrary content to any location in the victim's file system. An example attack scenario involves overwriting or creating a malicious `__init__.py` file in the `/site-packages/` directory of the Python interpreter, resulting in code execution when the module is subsequently imported by the application.

Impact

An attacker can gain full control over the server through Remote Code Execution (RCE) — without needing to possess any account or permissions. The result may be compromise of confidentiality, integrity, and availability of the entire system.

Mitigation & patch

Patches available from the vendor should be applied according to the references. It is also recommended to restrict network access to db-gpt application API endpoints exclusively to trusted hosts until the fix is applied.

Who is affected

eosphoros-ai/db-gpt version v0.6.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Dbgpt Db Gpt

    APP
    Dbgpt
    0.6.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2024-10835CRITICAL9.8PL ✓ten sam produkt

SQL Injection i zapis plików w db-gpt umożliwiające RCE

CVE-2024-10831CRITICAL9.1PL ✓ten sam produkt

Absolute Path Traversal w DB-GPT — zapis plików w dowolnej lokalizacji

CVE-2024-10833CRITICAL9.1PL ✓ten sam produkt

Arbitrary file write przez path traversal w DB-GPT (knowledge API)

CVE-2024-10834CRITICAL9.1PL ✓ten sam produkt

Dowolny zapis plików w db-gpt przez podatność path traversal w RAG-knowledge

CVE-2024-10902CRITICAL9.8PL ✓ten sam produkt

Arbitrary File Upload z Path Traversal w db-gpt — możliwy RCE