CVE-2024-10906 – dbgpt

Package

Manager: pip
Name: dbgpt
Vulnerable Version: >=0 <=0.6.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00023 pctl0.04589

Details

DB-GPT vulnerable to Cross-Site Request Forgery In version 0.6.0 of eosphoros-ai/db-gpt, the `uvicorn` app created by `dbgpt_server` uses an overly permissive instance of `CORSMiddleware` which sets the `Access-Control-Allow-Origin` to `*` for all requests. This configuration makes all endpoints exposed by the server vulnerable to Cross-Site Request Forgery (CSRF). An attacker can exploit this vulnerability to interact with any endpoints of the instance, even if the instance is not publicly exposed to the network.

Metadata

Created: 2025-03-20T12:32:40Z
Modified: 2025-03-21T16:15:55Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-3248-f932-c76p/GHSA-3248-f932-c76p.json
CWE IDs: ["CWE-352"]
Alternative ID: GHSA-3248-f932-c76p
Finding: F007
Auto approve: 1