agentscope@0.0.5a1 vulnerabilities

AgentScope: A Flexible yet Robust Multi-Agent Platform.

latest version

0.1.0
first published

8 months ago
latest version published

a month ago
licenses detected
- Apache-2.0
  [0,)
View agentscope package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the agentscope package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
C Arbitrary Code Injection agentscope is an AgentScope: A Flexible yet Robust Multi-Agent Platform. Affected versions of this package are vulnerable to Arbitrary Code Injection. This vulnerability is caused by an incomplete fix for SNYK-PYTHON-AGENTSCOPE-8145542. The applied black-list to filter out dangerous commands can be simply bypassed. For example, the attackers can run `rm --rf` (note that there are more than one space character in between the `rm` and `-rf`) to bypass the check as the blocked item only has one space in between. Moreover, the current black-list also overlooked many other dangerous commands such as `netcat`, the hackers can simply create a backdoor by the command `nc -lvvp 6666 -e /bin/sh` to enable a remote shell and then log into the victim system to run arbitrary commands as follows. How to fix Arbitrary Code Injection? There is no fixed version for `agentscope`.	[0,)
C Arbitrary Code Injection agentscope is an AgentScope: A Flexible yet Robust Multi-Agent Platform. Affected versions of this package are vulnerable to Arbitrary Code Injection due to improper isolation of the execution of user-provided code. An attacker could achieve takeover of the server running the code by exploiting this vulnerability. How to fix Arbitrary Code Injection? Upgrade `agentscope` to version 0.1.0 or higher.	[,0.1.0)

Arbitrary Code Injection

agentscope is an AgentScope: A Flexible yet Robust Multi-Agent Platform.

Affected versions of this package are vulnerable to Arbitrary Code Injection. This vulnerability is caused by an incomplete fix for SNYK-PYTHON-AGENTSCOPE-8145542. The applied black-list to filter out dangerous commands can be simply bypassed. For example, the attackers can run rm --rf (note that there are more than one space character in between the rm and -rf) to bypass the check as the blocked item only has one space in between. Moreover, the current black-list also overlooked many other dangerous commands such as netcat, the hackers can simply create a backdoor by the command nc -lvvp 6666 -e /bin/sh to enable a remote shell and then log into the victim system to run arbitrary commands as follows.

How to fix Arbitrary Code Injection?

There is no fixed version for agentscope.

[0,)

Arbitrary Code Injection

agentscope is an AgentScope: A Flexible yet Robust Multi-Agent Platform.

Affected versions of this package are vulnerable to Arbitrary Code Injection due to improper isolation of the execution of user-provided code. An attacker could achieve takeover of the server running the code by exploiting this vulnerability.

How to fix Arbitrary Code Injection?

Upgrade agentscope to version 0.1.0 or higher.

[,0.1.0)

Go back to all versions of this package

agentscope@0.0.5a1 vulnerabilities

AgentScope: A Flexible yet Robust Multi-Agent Platform.

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities