CVE-2024-10830
📋 TL;DR
This path traversal vulnerability in db-gpt version 0.6.0 allows attackers to delete arbitrary files on the server by manipulating the file_key parameter in the /v1/resource/file/delete API endpoint. Organizations running vulnerable versions of db-gpt with this endpoint exposed are affected.
💻 Affected Systems
- eosphoros-ai/db-gpt
📦 What is this software?
Db Gpt by Dbgpt
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through deletion of critical system files, configuration files, or application data, potentially causing service disruption, data loss, or privilege escalation.
Likely Case
Data loss or service disruption through deletion of application files, user data, or configuration files, potentially leading to application downtime.
If Mitigated
Limited impact if proper file permissions, input validation, and access controls are implemented, restricting deletion to authorized files only.
🎯 Exploit Status
Exploitation requires access to the vulnerable API endpoint and knowledge of file paths. No authentication bypass is mentioned.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 0.6.0
Vendor Advisory: https://huntr.com/bounties/26adf08a-9262-4d5a-a2ee-ce12ed919620
Restart Required: No
Instructions:
1. Update db-gpt to the latest version. 2. Verify the patch implements proper input validation and path sanitization for the file_key parameter.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side validation to restrict file_key parameter to allowed patterns and prevent directory traversal sequences.
Implement input validation in the API endpoint to reject file_key values containing '../', '..\\', or absolute paths.
🧯 If You Can't Patch
- Restrict access to the /v1/resource/file/delete endpoint using network controls or web application firewalls.
- Implement strict file system permissions to limit the application's ability to delete files outside designated directories.
🔍 How to Verify
Check if Vulnerable:
Check if running db-gpt version 0.6.0 and test the /v1/resource/file/delete endpoint with a file_key containing path traversal sequences like '../../etc/passwd'.Check Version:
Check package version or application configuration for db-gpt version information.Verify Fix Applied:
After updating, test the same endpoint with path traversal sequences to confirm file deletion is blocked and proper error handling occurs.📡 Detection & Monitoring
Log Indicators:
- Unusual file deletion requests in application logs, especially with file_key parameters containing '../' or similar traversal sequences.
- Failed file deletion attempts with path traversal patterns.
Network Indicators:
- HTTP requests to /v1/resource/file/delete with suspicious file_key parameters containing path traversal sequences.
SIEM Query:
Search for HTTP requests to '/v1/resource/file/delete' with file_key parameter containing patterns like '*../*' or '*..\\*'.