TROYANOSYVIRUS
Voltar para CVEs

CVE-2024-1881

CRITICAL
9.8

Descricao

AutoGPT, a component of significant-gravitas/autogpt, is vulnerable to an improper neutralization of special elements used in an OS command ('OS Command Injection') due to a flaw in its shell command validation function. Specifically, the vulnerability exists in versions v0.5.0 up to but not including 5.1.0. The issue arises from the application's method of validating shell commands against an allowlist or denylist, where it only checks the first word of the command. This allows an attacker to bypass the intended restrictions by crafting commands that are executed despite not being on the allowlist or by including malicious commands not present in the denylist. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary shell commands.

Detalhes CVE

Pontuacao CVSS v3.19.8
SeveridadeCRITICAL
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosNONE
Interacao do usuarioNONE
Publicado6/6/2024
Ultima modificacao8/5/2025
Fontenvd
Avistamentos honeypot0

Produtos afetados

agpt:autogpt_classic

Fraquezas (CWE)

CWE-78

Referencias

https://github.com/significant-gravitas/autogpt/commit/26324f29849967fa72c207da929af612f1740669(security@huntr.dev)
https://huntr.com/bounties/416c4a8b-36ba-4bbc-850a-a2f978b0fac8(security@huntr.dev)
https://github.com/significant-gravitas/autogpt/commit/26324f29849967fa72c207da929af612f1740669(af854a3a-2127-422b-91ae-364da2661108)
https://huntr.com/bounties/416c4a8b-36ba-4bbc-850a-a2f978b0fac8(af854a3a-2127-422b-91ae-364da2661108)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.