eosphoros-ai db-gpt Flow Import Endpoint import importlib.machinery.SourceFileLoader.exec_module code injection

A security flaw has been discovered in eosphoros-ai db-gpt 0.7.5. Affected is the function importlib.machinery.SourceFileLoader.exec_module of the file /api/v1/serve/awel/flow/import of the component Flow Import Endpoint. Performing a manipulation as part of File results in code injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

对生成代码的控制不恰当(代码注入)

DB-GPT 代码注入漏洞

DB-GPT是eosphoros开源的一个基于 AWEL 和代理的 AI 原生数据应用开发框架。 DB-GPT 0.7.5版本存在代码注入漏洞，该漏洞源于对文件/api/v1/serve/awel/flow/import中组件的操作，可能导致代码注入攻击。

N/A

N/A