High

db-gpt

CSRF Vulnerability Due to Permissive CORS Middleware

The dbgpt_server in version 0.6.0 of the software uses an overly permissive CORS middleware configuration, allowing any origin to access its endpoints, leading to a CSRF vulnerability. This issue was identified and reported but has not yet been patched.

Available publicly on Jan 04 2025

7.1

CVE:

CVE-2024-10906

CWE:

352:Cross-Site Request Forgery (CSRF)

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L

Credit:

patrik-ha
AssessDetect

Unavailable

Remediate
Remediation Steps
  1. Update the CORS middleware configuration to restrict access to trusted origins only.
  2. Implement CSRF protection mechanisms, such as requiring CSRF tokens for state-changing requests.
  3. Regularly review and update security configurations to ensure they adhere to best practices.
  4. Monitor and audit server logs for any suspicious activity that may indicate exploitation of this vulnerability.
Patch Details
  • Fixed Version: N/A
  • Patch Commit: N/A
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.