CVE-2024-10830

Published: Mar 20, 2025Modified: Jul 17, 2025

8.2

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Exploitability: 3.9 / Impact: 4.2

Source: security@huntr.dev (Secondary)

Description

A Path Traversal vulnerability exists in the eosphoros-ai/db-gpt version 0.6.0 at the API endpoint `/v1/resource/file/delete`. This vulnerability allows an attacker to delete any file on the server by manipulating the `file_key` parameter. The `file_key` parameter is not properly sanitized, enabling an attacker to specify arbitrary file paths. If the specified file exists, the application will delete it.

Affected (1)

Products: Dbgpt: Db Gpt

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Dbgpt Db Gpt	Version 0.6.0

Related CWEs

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (2)

https://huntr.com/bounties/26adf08a-9262-4d5a-a2ee-ce12ed919620

Source: security@huntr.dev

ExploitThird Party Advisory

https://huntr.com/bounties/26adf08a-9262-4d5a-a2ee-ce12ed919620

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitThird Party Advisory

Timeline

No history available yet.