{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-10830","assignerOrgId":"c09c270a-b464-47c1-9133-acb35b22c19a","state":"PUBLISHED","assignerShortName":"@huntr_ai","dateReserved":"2024-11-04T22:48:29.267Z","datePublished":"2025-03-20T10:11:19.024Z","dateUpdated":"2025-03-20T14:28:18.389Z"},"containers":{"cna":{"title":"Path Traversal in eosphoros-ai/db-gpt","providerMetadata":{"orgId":"c09c270a-b464-47c1-9133-acb35b22c19a","shortName":"@huntr_ai","dateUpdated":"2025-03-20T10:11:19.024Z"},"descriptions":[{"lang":"en","value":"A Path Traversal vulnerability exists in the eosphoros-ai/db-gpt version 0.6.0 at the API endpoint `/v1/resource/file/delete`. This vulnerability allows an attacker to delete any file on the server by manipulating the `file_key` parameter. The `file_key` parameter is not properly sanitized, enabling an attacker to specify arbitrary file paths. If the specified file exists, the application will delete it."}],"affected":[{"vendor":"eosphoros-ai","product":"eosphoros-ai/db-gpt","versions":[{"version":"unspecified","status":"affected","versionType":"custom","lessThanOrEqual":"latest"}]}],"references":[{"url":"https://huntr.com/bounties/26adf08a-9262-4d5a-a2ee-ce12ed919620"}],"metrics":[{"cvssV3_0":{"version":"3.0","attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H","baseScore":8.2,"baseSeverity":"HIGH"}}],"problemTypes":[{"descriptions":[{"type":"CWE","lang":"en","description":"CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","cweId":"CWE-22"}]}],"source":{"advisory":"26adf08a-9262-4d5a-a2ee-ce12ed919620","discovery":"EXTERNAL"}},"adp":[{"references":[{"url":"https://huntr.com/bounties/26adf08a-9262-4d5a-a2ee-ce12ed919620","tags":["exploit"]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-03-20T14:28:14.599832Z","id":"CVE-2024-10830","options":[{"Exploitation":"poc"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-03-20T14:28:18.389Z"}}]}}