CVE-2024-10831

In eosphoros-ai/db-gpt version 0.6.0, the endpoint for uploading files is vulnerable to absolute path traversal. This vulnerability allows an attacker to upload arbitrary files to arbitrary locations on the target server. The issue arises because the `file_key` and `doc_file.filename` parameters are user-controllable, enabling the construction of paths outside the intended directory. This can lead to overwriting essential system files, such as SSH keys, for further exploitation.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://huntr.com/bounties/5c34c39f-66d4-414c-ab6a-f7888a5d882a	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:dbgpt:db-gpt:0.6.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-03-20 10:15

Updated : 2025-07-17 13:38

NVD link : CVE-2024-10831

Mitre link : CVE-2024-10831

CVE.ORG link : CVE-2024-10831

JSON object : View

Products Affected

dbgpt

db-gpt

CWE

CWE-36

Absolute Path Traversal

{"id": "CVE-2024-10831", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2025-03-20T10:15:20.500", "references": [{"url": "https://huntr.com/bounties/5c34c39f-66d4-414c-ab6a-f7888a5d882a", "tags": ["Exploit", "Third Party Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-36"}]}], "descriptions": [{"lang": "en", "value": "In eosphoros-ai/db-gpt version 0.6.0, the endpoint for uploading files is vulnerable to absolute path traversal. This vulnerability allows an attacker to upload arbitrary files to arbitrary locations on the target server. The issue arises because the `file_key` and `doc_file.filename` parameters are user-controllable, enabling the construction of paths outside the intended directory. This can lead to overwriting essential system files, such as SSH keys, for further exploitation."}, {"lang": "es", "value": "En la versi\u00f3n 0.6.0 de eosphoros-ai/db-gpt, el endpoint para subir archivos es vulnerable a path traversal absoluto. Esta vulnerabilidad permite a un atacante subir archivos arbitrarios a ubicaciones arbitrarias en el servidor objetivo. El problema surge porque los par\u00e1metros `file_key` y `doc_file.filename` son controlables por el usuario, lo que permite la construcci\u00f3n de rutas fuera del directorio de destino. Esto puede provocar la sobrescritura de archivos esenciales del sistema, como claves SSH, para su posterior explotaci\u00f3n."}], "lastModified": "2025-07-17T13:38:08.167", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dbgpt:db-gpt:0.6.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EBDB9D41-53F0-4893-AD12-C627705D4615"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}