agentscope@0.1.2 vulnerabilities

AgentScope: A Flexible yet Robust Multi-Agent Platform.

latest version

0.1.2

first published

1 years ago

latest version published

6 hours ago

licenses detected

Apache-2.0
[0,)

View agentscope package health on Snyk Advisor (opens in a new tab)

Go back to all versions of this package

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the agentscope package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
C Eval Injection agentscope is an AgentScope: A Flexible yet Robust Multi-Agent Platform. Affected versions of this package are vulnerable to Eval Injection via the `result = eval(s)` field of the `is_callable_expression` function in the `agentscope\web\workstation\workflow_utils.py` file. An attacker can execute arbitrary code by providing malicious input to this function. How to fix Eval Injection? There is no fixed version for `agentscope`.	[0,)
C Arbitrary Code Injection agentscope is an AgentScope: A Flexible yet Robust Multi-Agent Platform. Affected versions of this package are vulnerable to Arbitrary Code Injection. This vulnerability is caused by an incomplete fix for SNYK-PYTHON-AGENTSCOPE-8145542. The applied black-list to filter out dangerous commands can be simply bypassed. For example, the attackers can run `rm --rf` (note that there are more than one space character in between the `rm` and `-rf`) to bypass the check as the blocked item only has one space in between. Moreover, the current black-list also overlooked many other dangerous commands such as `netcat`, the hackers can simply create a backdoor by the command `nc -lvvp 6666 -e /bin/sh` to enable a remote shell and then log into the victim system to run arbitrary commands as follows. How to fix Arbitrary Code Injection? There is no fixed version for `agentscope`.	[0,)

Eval Injection

agentscope is an AgentScope: A Flexible yet Robust Multi-Agent Platform.

Affected versions of this package are vulnerable to Eval Injection via the result = eval(s) field of the is_callable_expression function in the agentscope\web\workstation\workflow_utils.py file. An attacker can execute arbitrary code by providing malicious input to this function.

How to fix Eval Injection?

There is no fixed version for agentscope.

[0,)

Arbitrary Code Injection

agentscope is an AgentScope: A Flexible yet Robust Multi-Agent Platform.

Affected versions of this package are vulnerable to Arbitrary Code Injection. This vulnerability is caused by an incomplete fix for SNYK-PYTHON-AGENTSCOPE-8145542. The applied black-list to filter out dangerous commands can be simply bypassed. For example, the attackers can run rm --rf (note that there are more than one space character in between the rm and -rf) to bypass the check as the blocked item only has one space in between. Moreover, the current black-list also overlooked many other dangerous commands such as netcat, the hackers can simply create a backdoor by the command nc -lvvp 6666 -e /bin/sh to enable a remote shell and then log into the victim system to run arbitrary commands as follows.

How to fix Arbitrary Code Injection?

There is no fixed version for agentscope.

[0,)

Go back to all versions of this package