dbgpt 0.6.3rc0 vulnerabilities

Known vulnerabilities in the dbgpt package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
H Directory Traversal dbgpt is a DB-GPT is an experimental open-source project that uses localized GPT large models to interact with your data and environment. With this solution, you can beassured that there is no risk of data leakage, and your data is 100% private and secure. Affected versions of this package are vulnerable to Directory Traversal through the API endpoint `/v1/resource/file/delete`. An attacker can delete any file on the server by manipulating the `file_key` parameter. How to fix Directory Traversal? There is no fixed version for `dbgpt`.	[0,)
H Directory Traversal dbgpt is a DB-GPT is an experimental open-source project that uses localized GPT large models to interact with your data and environment. With this solution, you can beassured that there is no risk of data leakage, and your data is 100% private and secure. Affected versions of this package are vulnerable to Directory Traversal through the `file_key` and `doc_file.filename` parameters. This is by constructing paths outside the intended directory. How to fix Directory Traversal? There is no fixed version for `dbgpt`.	[0,)
H SQL Injection dbgpt is a DB-GPT is an experimental open-source project that uses localized GPT large models to interact with your data and environment. With this solution, you can beassured that there is no risk of data leakage, and your data is 100% private and secure. Affected versions of this package are vulnerable to SQL Injection via the web API `POST /api/v1/editor/chart/run`. How to fix SQL Injection? Upgrade `dbgpt` to version 0.7.0 or higher.	[,0.7.0)
H Cross-site Request Forgery (CSRF) dbgpt is a DB-GPT is an experimental open-source project that uses localized GPT large models to interact with your data and environment. With this solution, you can beassured that there is no risk of data leakage, and your data is 100% private and secure. Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to the overly permissive configuration of `CORSMiddleware` which sets the `Access-Control-Allow-Origin` to `*`. An attacker can interact with any endpoints of the instance, potentially leading to unauthorized actions being performed on behalf of the user. How to fix Cross-site Request Forgery (CSRF)? There is no fixed version for `dbgpt`.	[0,)
H External Control of File Name or Path dbgpt is a DB-GPT is an experimental open-source project that uses localized GPT large models to interact with your data and environment. With this solution, you can beassured that there is no risk of data leakage, and your data is 100% private and secure. Affected versions of this package are vulnerable to External Control of File Name or Path through the web API `POST /v1/personal/agent/upload`. An attacker can execute arbitrary code on the server by uploading malicious files, such as a crafted `__init__.py`, which could be executed within the server's environment. How to fix External Control of File Name or Path? There is no fixed version for `dbgpt`.	[0,)
H Denial of Service (DoS) dbgpt is a DB-GPT is an experimental open-source project that uses localized GPT large models to interact with your data and environment. With this solution, you can beassured that there is no risk of data leakage, and your data is 100% private and secure. Affected versions of this package are vulnerable to Denial of Service (DoS) through the multipart request boundary processing mechanism. An attacker can cause excessive resource consumption by appending excessive characters to the end of multipart boundaries. How to fix Denial of Service (DoS)? There is no fixed version for `dbgpt`.	[0,)

Vulnerability

Vulnerable Version

Directory Traversal

dbgpt is a DB-GPT is an experimental open-source project that uses localized GPT large models to interact with your data and environment. With this solution, you can beassured that there is no risk of data leakage, and your data is 100% private and secure.

Affected versions of this package are vulnerable to Directory Traversal through the API endpoint /v1/resource/file/delete. An attacker can delete any file on the server by manipulating the file_key parameter.

How to fix Directory Traversal?

There is no fixed version for dbgpt.

[0,)

Directory Traversal

Affected versions of this package are vulnerable to Directory Traversal through the file_key and doc_file.filename parameters. This is by constructing paths outside the intended directory.

How to fix Directory Traversal?

There is no fixed version for dbgpt.

[0,)

SQL Injection

Affected versions of this package are vulnerable to SQL Injection via the web API POST /api/v1/editor/chart/run.

How to fix SQL Injection?

Upgrade dbgpt to version 0.7.0 or higher.

[,0.7.0)

Cross-site Request Forgery (CSRF)

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to the overly permissive configuration of CORSMiddleware which sets the Access-Control-Allow-Origin to *. An attacker can interact with any endpoints of the instance, potentially leading to unauthorized actions being performed on behalf of the user.

How to fix Cross-site Request Forgery (CSRF)?

There is no fixed version for dbgpt.

[0,)

External Control of File Name or Path

Affected versions of this package are vulnerable to External Control of File Name or Path through the web API POST /v1/personal/agent/upload. An attacker can execute arbitrary code on the server by uploading malicious files, such as a crafted __init__.py, which could be executed within the server's environment.

How to fix External Control of File Name or Path?

There is no fixed version for dbgpt.

[0,)

Denial of Service (DoS)

Affected versions of this package are vulnerable to Denial of Service (DoS) through the multipart request boundary processing mechanism. An attacker can cause excessive resource consumption by appending excessive characters to the end of multipart boundaries.

How to fix Denial of Service (DoS)?

There is no fixed version for dbgpt.

[0,)

dbgpt@0.6.3rc0 vulnerabilities

DB-GPT is an experimental open-source project that uses localized GPT large models to interact with your data and environment. With this solution, you can beassured that there is no risk of data leakage, and your data is 100% private and secure.

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?