AutoGPT, a component of significant-gravitas/autogpt, is vulnerable to an improper neutralization of special elements used in an OS command ('OS Command Injection') due to a flaw in its shell command validation function. Specifically, the vulnerability exists in versions v0.5.0 up to but not including 5.1.0. The issue arises from the application's method of validating shell commands against an allowlist or denylist, where it only checks the first word of the command. This allows an attacker to bypass the intended restrictions by crafting commands that are executed despite not being on the allowlist or by including malicious commands not present in the denylist. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary shell commands.
References
Configurations
History
21 Nov 2024, 08:51
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/significant-gravitas/autogpt/commit/26324f29849967fa72c207da929af612f1740669 - Patch | |
References | () https://huntr.com/bounties/416c4a8b-36ba-4bbc-850a-a2f978b0fac8 - Third Party Advisory |
08 Oct 2024, 21:38
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
CPE | cpe:2.3:a:agpt:autogpt:*:*:*:*:*:*:*:* | |
References | () https://github.com/significant-gravitas/autogpt/commit/26324f29849967fa72c207da929af612f1740669 - Patch | |
References | () https://huntr.com/bounties/416c4a8b-36ba-4bbc-850a-a2f978b0fac8 - Third Party Advisory | |
First Time |
Agpt autogpt
Agpt |
07 Jun 2024, 14:56
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
06 Jun 2024, 19:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-06-06 19:15
Updated : 2024-11-21 08:51
NVD link : CVE-2024-1881
Mitre link : CVE-2024-1881
CVE.ORG link : CVE-2024-1881
JSON object : View
Products Affected
agpt
- autogpt
CWE
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')