CVE-2024-1881

AutoGPT, a component of significant-gravitas/autogpt, is vulnerable to an improper neutralization of special elements used in an OS command ('OS Command Injection') due to a flaw in its shell command validation function. Specifically, the vulnerability exists in versions v0.5.0 up to but not including 5.1.0. The issue arises from the application's method of validating shell commands against an allowlist or denylist, where it only checks the first word of the command. This allows an attacker to bypass the intended restrictions by crafting commands that are executed despite not being on the allowlist or by including malicious commands not present in the denylist. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary shell commands.
Configurations

Configuration 1 (hide)

cpe:2.3:a:agpt:autogpt:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:51

Type Values Removed Values Added
References () https://github.com/significant-gravitas/autogpt/commit/26324f29849967fa72c207da929af612f1740669 - Patch () https://github.com/significant-gravitas/autogpt/commit/26324f29849967fa72c207da929af612f1740669 - Patch
References () https://huntr.com/bounties/416c4a8b-36ba-4bbc-850a-a2f978b0fac8 - Third Party Advisory () https://huntr.com/bounties/416c4a8b-36ba-4bbc-850a-a2f978b0fac8 - Third Party Advisory

08 Oct 2024, 21:38

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 8.8
v2 : unknown
v3 : 9.8
CPE cpe:2.3:a:agpt:autogpt:*:*:*:*:*:*:*:*
References () https://github.com/significant-gravitas/autogpt/commit/26324f29849967fa72c207da929af612f1740669 - () https://github.com/significant-gravitas/autogpt/commit/26324f29849967fa72c207da929af612f1740669 - Patch
References () https://huntr.com/bounties/416c4a8b-36ba-4bbc-850a-a2f978b0fac8 - () https://huntr.com/bounties/416c4a8b-36ba-4bbc-850a-a2f978b0fac8 - Third Party Advisory
First Time Agpt autogpt
Agpt

07 Jun 2024, 14:56

Type Values Removed Values Added
Summary
  • (es) AutoGPT, un componente de significant-gravitas/autogpt, es vulnerable a una neutralización inadecuada de elementos especiales utilizados en un comando del sistema operativo ('Inyección de comando del sistema operativo') debido a una falla en su función de validación del comando de shell. Específicamente, la vulnerabilidad existe en las versiones v0.5.0 hasta la 5.1.0, pero no incluida. El problema surge del método de la aplicación para validar los comandos del shell con una lista de permitidos o de denegados, donde solo verifica la primera palabra del comando. Esto permite a un atacante eludir las restricciones previstas creando comandos que se ejecutan a pesar de no estar en la lista de permitidos o incluyendo comandos maliciosos que no están presentes en la lista de prohibidos. La explotación exitosa de esta vulnerabilidad podría permitir a un atacante ejecutar comandos de shell arbitrarios.

06 Jun 2024, 19:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-06-06 19:15

Updated : 2024-11-21 08:51


NVD link : CVE-2024-1881

Mitre link : CVE-2024-1881

CVE.ORG link : CVE-2024-1881


JSON object : View

Products Affected

agpt

  • autogpt
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')