| 제목 | eosphoros-ai DB-GPT <=0.7.5 Remote command execution |
|---|
| 설명 | There is fix of Arbitray SQL Run in web api `/api/v1/editor/chart/run` and `/api/v1/editor/sql/run` for CVE-2024-10835 & CVE-2024-10901 to filter the user input sql. However, the sql in llm's output which can be easily controlled by user prompt is considered trusted and execute directly. So malicious user can guide the llm to run arbitrary sql, which may cause Remote Code Execution, Arbitray File Read/Write by specific sql of different database type. |
|---|
| 원천 | ⚠️ https://github.com/Ka7arotto/cve/blob/main/dbgpt-duckdb-rce/issue.md |
|---|
| 사용자 | Goku (UID 80486) |
|---|
| 제출 | 2026. 03. 06. PM 12:20 (3 개월 ago) |
|---|
| 모더레이션 | 2026. 03. 20. PM 03:03 (14 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 352070 [eosphoros-ai db-gpt 까지 0.7.5 Incomplete Fix /api/v1/editor/ SQL 주입] |
|---|
| 포인트들 | 20 |
|---|