CVE-2024-10835: Arbitrary File Write via SQL Injection in eosphoros-ai/db-gpt

9.1 CVSS

Description

In eosphoros-ai/db-gpt version v0.6.0, the web API `POST /api/v1/editor/sql/run` allows execution of arbitrary SQL queries without any access control. This vulnerability can be exploited by attackers to perform Arbitrary File Write using DuckDB SQL, enabling them to write arbitrary files to the victim's file system. This can potentially lead to Remote Code Execution (RCE).

Classification

CVE ID: CVE-2024-10835

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.1

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Problem Types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command

Affected Products

Vendor: eosphoros-ai

Product: eosphoros-ai/db-gpt

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.47% (probability of being exploited)

EPSS Percentile: 63.26% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2024-10835
https://huntr.com/bounties/e32fda74-ca83-431c-8de8-08274ba686c9

Timeline

2025-03-20 11:40:16 UTC
CVE

Arbitrary File Write via SQL Injection in eosphoros-ai/db-gpt