TROYANOSYVIRUS
Zuruck zu CVEs

CVE-2024-1881

CRITICAL
9.8

Beschreibung

AutoGPT, a component of significant-gravitas/autogpt, is vulnerable to an improper neutralization of special elements used in an OS command ('OS Command Injection') due to a flaw in its shell command validation function. Specifically, the vulnerability exists in versions v0.5.0 up to but not including 5.1.0. The issue arises from the application's method of validating shell commands against an allowlist or denylist, where it only checks the first word of the command. This allows an attacker to bypass the intended restrictions by crafting commands that are executed despite not being on the allowlist or by including malicious commands not present in the denylist. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary shell commands.

CVE Details

CVSS v3.1 Bewertung9.8
SchweregradCRITICAL
CVSS VektorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AngriffsvektorNETWORK
KomplexitatLOW
Erforderliche PrivilegienNONE
BenutzerinteraktionNONE
Veroffentlicht6/6/2024
Zuletzt geandert8/5/2025
Quellenvd
Honeypot-Sichtungen0

Betroffene Produkte

agpt:autogpt_classic

Schwachen (CWE)

CWE-78

Referenzen

https://github.com/significant-gravitas/autogpt/commit/26324f29849967fa72c207da929af612f1740669(security@huntr.dev)
https://huntr.com/bounties/416c4a8b-36ba-4bbc-850a-a2f978b0fac8(security@huntr.dev)
https://github.com/significant-gravitas/autogpt/commit/26324f29849967fa72c207da929af612f1740669(af854a3a-2127-422b-91ae-364da2661108)
https://huntr.com/bounties/416c4a8b-36ba-4bbc-850a-a2f978b0fac8(af854a3a-2127-422b-91ae-364da2661108)

IOC Korrelationen

Keine Korrelationen erfasst

This product uses data from the NVD API but is not endorsed or certified by the NVD.