dbgpt 0.7.0 vulnerabilities

Known vulnerabilities in the dbgpt package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
H Directory Traversal dbgpt is a DB-GPT is an experimental open-source project that uses localized GPT large models to interact with your data and environment. With this solution, you can beassured that there is no risk of data leakage, and your data is 100% private and secure. Affected versions of this package are vulnerable to Directory Traversal through the API endpoint `/v1/resource/file/delete`. An attacker can delete any file on the server by manipulating the `file_key` parameter. How to fix Directory Traversal? There is no fixed version for `dbgpt`.	[0,)
H Directory Traversal dbgpt is a DB-GPT is an experimental open-source project that uses localized GPT large models to interact with your data and environment. With this solution, you can beassured that there is no risk of data leakage, and your data is 100% private and secure. Affected versions of this package are vulnerable to Directory Traversal through the `file_key` and `doc_file.filename` parameters. This is by constructing paths outside the intended directory. How to fix Directory Traversal? There is no fixed version for `dbgpt`.	[0,)
H Cross-site Request Forgery (CSRF) dbgpt is a DB-GPT is an experimental open-source project that uses localized GPT large models to interact with your data and environment. With this solution, you can beassured that there is no risk of data leakage, and your data is 100% private and secure. Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to the overly permissive configuration of `CORSMiddleware` which sets the `Access-Control-Allow-Origin` to `*`. An attacker can interact with any endpoints of the instance, potentially leading to unauthorized actions being performed on behalf of the user. How to fix Cross-site Request Forgery (CSRF)? There is no fixed version for `dbgpt`.	[0,)
H External Control of File Name or Path dbgpt is a DB-GPT is an experimental open-source project that uses localized GPT large models to interact with your data and environment. With this solution, you can beassured that there is no risk of data leakage, and your data is 100% private and secure. Affected versions of this package are vulnerable to External Control of File Name or Path through the web API `POST /v1/personal/agent/upload`. An attacker can execute arbitrary code on the server by uploading malicious files, such as a crafted `__init__.py`, which could be executed within the server's environment. How to fix External Control of File Name or Path? There is no fixed version for `dbgpt`.	[0,)
H Denial of Service (DoS) dbgpt is a DB-GPT is an experimental open-source project that uses localized GPT large models to interact with your data and environment. With this solution, you can beassured that there is no risk of data leakage, and your data is 100% private and secure. Affected versions of this package are vulnerable to Denial of Service (DoS) through the multipart request boundary processing mechanism. An attacker can cause excessive resource consumption by appending excessive characters to the end of multipart boundaries. How to fix Denial of Service (DoS)? There is no fixed version for `dbgpt`.	[0,)

Vulnerability

Vulnerable Version

Directory Traversal

dbgpt is a DB-GPT is an experimental open-source project that uses localized GPT large models to interact with your data and environment. With this solution, you can beassured that there is no risk of data leakage, and your data is 100% private and secure.

Affected versions of this package are vulnerable to Directory Traversal through the API endpoint /v1/resource/file/delete. An attacker can delete any file on the server by manipulating the file_key parameter.

How to fix Directory Traversal?