CVE-2024-10830 – dbgpt

Package

Manager: pip
Name: dbgpt
Vulnerable Version: >=0 <=0.6.0

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00112 pctl0.30438

Details

DB-GPT Path Traversal vulnerability A Path Traversal vulnerability exists in the eosphoros-ai/db-gpt version 0.6.0 at the API endpoint `/v1/resource/file/delete`. This vulnerability allows an attacker to delete any file on the server by manipulating the `file_key` parameter. The `file_key` parameter is not properly sanitized, enabling an attacker to specify arbitrary file paths. If the specified file exists, the application will delete it.

Metadata

Created: 2025-03-20T12:32:40Z
Modified: 2025-03-21T16:25:39Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-8pwp-phcg-h36g/GHSA-8pwp-phcg-h36g.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-8pwp-phcg-h36g
Finding: F063
Auto approve: 1