CRITICAL🇵🇱 Wersja polska

CVE-2024-10835

CVSS 9.8v3.1pub. 2025-03-20upd. 2025-07-17

In eosphoros-ai/db-gpt version v0.6.0, the web API `POST /api/v1/editor/sql/run` allows execution of arbitrary SQL queries without any access control. This vulnerability can be exploited by attackers to perform Arbitrary File Write using DuckDB SQL, enabling them to write arbitrary files to the victim's file system. This can potentially lead to Remote Code Execution (RCE).

🤖 AI Analysis
How it works

An unauthenticated attacker sends an HTTP POST request to the public endpoint `/api/v1/editor/sql/run`, passing an arbitrary SQL query. The lack of access control mechanisms causes the query to be executed directly by the DuckDB engine. DuckDB functions allow writing data to files on the server's operating system, enabling the attacker to place a malicious file (e.g., executable script or webshell) and subsequently cause it to be executed, gaining control over the system.

Impact

An attacker can write arbitrary files to the victim's file system, which in practice can lead to remote code execution (RCE) and complete takeover of the server. The confidentiality, integrity, and availability of the entire system are at risk.

Mitigation & patch

Apply patches available from the vendor according to references. Additionally, it is recommended to immediately restrict access to the `/api/v1/editor/sql/run` endpoint at the firewall or reverse proxy level until the patch is implemented, and to implement authentication and authorization for all API endpoints.

Who is affected

eosphoros-ai/db-gpt version v0.6.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Dbgpt Db Gpt

    APP
    Dbgpt
    0.6.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCESQLi
CWE
References

Related vulnerabilities

CVE-2024-10901CRITICAL9.8PL ✓ten sam produkt

Dowolne wykonanie kodu przez niekontrolowane SQL API w db-gpt

CVE-2024-10831CRITICAL9.1PL ✓ten sam produkt

Absolute Path Traversal w DB-GPT — zapis plików w dowolnej lokalizacji

CVE-2024-10833CRITICAL9.1PL ✓ten sam produkt

Arbitrary file write przez path traversal w DB-GPT (knowledge API)

CVE-2024-10834CRITICAL9.1PL ✓ten sam produkt

Dowolny zapis plików w db-gpt przez podatność path traversal w RAG-knowledge

CVE-2024-10902CRITICAL9.8PL ✓ten sam produkt

Arbitrary File Upload z Path Traversal w db-gpt — możliwy RCE