High

db-gpt

Path Traversal in API Endpoint Allowing Arbitrary File Deletion

A Path Traversal vulnerability in version 0.6.0 of the software allows an attacker to delete any file on the server via the `/v1/resource/file/delete` API endpoint. The issue has not been patched yet.

Available publicly on Nov 05 2024

8.2

CVE:

CVE-2024-10830

CWE:

22:Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Credit:

tungpentest
AssessDetect

Unavailable

Remediate
Remediation Steps
  1. Sanitize the file_key parameter to ensure it does not contain any path traversal sequences.
  2. Implement proper input validation to restrict the file_key to allowed directories.
  3. Update the delete_file function to include additional security checks before deleting files.
  4. Release a patched version of the software and notify users to update to the latest version.
Patch Details
  • Fixed Version: N/A
  • Patch Commit: N/A
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.