← Back

CVE-2024-10901

nvd nist
Published: Mar 20, 2025Modified: Jul 17, 2025

JSON object

Loading...
9.8
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 5.9
Source: NVD

Description

In eosphoros-ai/db-gpt version v0.6.0, the web API `POST /api/v1/editor/chart/run` allows execution of arbitrary SQL queries without any access control. This vulnerability can be exploited by attackers to perform Arbitrary File Write, enabling them to write arbitrary files to the victim's file system. This can potentially lead to Remote Code Execution (RCE) by writing malicious files such as `__init__.py` in the Python's `/site-packages/` directory.

Affected (1)

Products: Dbgpt: Db Gpt
Dbgpt
1 product
Db Gpt
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Db Gpt
Version 0.6.0

Related CWEs

CWE-434
Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (1)

Source: security@huntr.dev
ExploitThird Party Advisory

Timeline

No history available yet.