CVE-2024-10901: Arbitrary File Write via DuckDB SQL Injection in eosphoros-ai/db-gpt

9.1 CVSS

Description

In eosphoros-ai/db-gpt version v0.6.0, the web API `POST /api/v1/editor/chart/run` allows execution of arbitrary SQL queries without any access control. This vulnerability can be exploited by attackers to perform Arbitrary File Write, enabling them to write arbitrary files to the victim's file system. This can potentially lead to Remote Code Execution (RCE) by writing malicious files such as `__init__.py` in the Python's `/site-packages/` directory.

Classification

CVE ID: CVE-2024-10901

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.1

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Problem Types

CWE-434 Unrestricted Upload of File with Dangerous Type

Affected Products

Vendor: eosphoros-ai

Product: eosphoros-ai/db-gpt

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.37% (probability of being exploited)

EPSS Percentile: 57.75% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2024-10901
https://huntr.com/bounties/db2c1d59-6e3a-4553-a1f6-94c8df162a18

Timeline

2025-03-20 11:40:17 UTC
CVE

Arbitrary File Write via DuckDB SQL Injection in eosphoros-ai/db-gpt