漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
ByteDance DeerFlow LocalSandboxProvider Host Bash Escape
Vulnerability Description
ByteDance Deer-Flow versions prior to commit 92c7a20 contain a sandbox escape vulnerability in bash tool handling that allows attackers to execute arbitrary commands on the host system by bypassing regex-based validation using shell features such as directory changes and relative paths. Attackers can exploit the incomplete shell semantics modeling to read and modify files outside the sandbox boundary and achieve arbitrary command execution through subprocess invocation with shell interpretation enabled.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Vulnerability Type
不完整的黑名单
Vulnerability Title
DeerFlow 安全漏洞
Vulnerability Description
DeerFlow是Bytedance开源的一个开源智能体编排框架,用于协调子代理与技能执行。 DeerFlow 92c7a20之前版本存在安全漏洞,该漏洞源于bash工具处理中存在沙箱逃逸,攻击者可通过利用目录更改和相对路径等shell功能绕过基于正则表达式的验证,在主机系统上执行任意命令,可能导致读取和修改沙箱边界外的文件并通过启用shell解释的子进程调用实现任意命令执行。
CVSS Information
N/A
Vulnerability Type
N/A