Submeter #773891: eosphoros-ai DB-GPT <=0.7.5 Remote command executioninformação

Títuloeosphoros-ai DB-GPT <=0.7.5 Remote command execution
DescriçãoThere is fix of Arbitray SQL Run in web api `/api/v1/editor/chart/run` and `/api/v1/editor/sql/run` for CVE-2024-10835 & CVE-2024-10901 to filter the user input sql. However, the sql in llm's output which can be easily controlled by user prompt is considered trusted and execute directly. So malicious user can guide the llm to run arbitrary sql, which may cause Remote Code Execution, Arbitray File Read/Write by specific sql of different database type.
Fonte⚠️ https://github.com/Ka7arotto/cve/blob/main/dbgpt-duckdb-rce/issue.md
Utilizador
 Goku (UID 80486)
Submissão06/03/2026 12h20 (há 3 meses)
Moderação20/03/2026 15h03 (14 days later)
EstadoAceite
Entrada VulDB352070 [eosphoros-ai db-gpt até 0.7.5 Incomplete Fix /api/v1/editor/ Injeção SQL]
Pontos20

VoltarVisão GeralPróximo

Want to stay up to date on a daily basis?

Enable the mail alert feature now!