Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
vulnrichment@huntr_aiVULNRICHMENT:CVE-2024-1881
HistoryJun 06, 2024 - 6:19 p.m.

CVE-2024-1881 Improper Neutralization of Special Elements used in an OS Command in significant-gravitas/autogpt

2024-06-0618:19:08
CWE-78
@huntr_ai
github.com
3
cve-2024-1881
autogpt
os command injection
shell command validation

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.8

Confidence

High

SSVC

Exploitation

poc

Automatable

no

Technical Impact

total

JSON

AutoGPT, a component of significant-gravitas/autogpt, is vulnerable to an improper neutralization of special elements used in an OS command (‘OS Command Injection’) due to a flaw in its shell command validation function. Specifically, the vulnerability exists in versions v0.5.0 up to but not including 5.1.0. The issue arises from the application’s method of validating shell commands against an allowlist or denylist, where it only checks the first word of the command. This allows an attacker to bypass the intended restrictions by crafting commands that are executed despite not being on the allowlist or by including malicious commands not present in the denylist. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary shell commands.

CNA Affected

[
  {
    "vendor": "significant-gravitas",
    "product": "significant-gravitas/autogpt",
    "versions": [
      {
        "version": "unspecified",
        "lessThan": "5.1.0",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  }
]

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:significant-gravitas:autogpt:*:*:*:*:*:*:*:*"
    ],
    "vendor": "significant-gravitas",
    "product": "autogpt",
    "versions": [
      {
        "status": "affected",
        "version": "0.5.0",
        "lessThan": "5.1.0",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  }
]

Related

nvd 1
cve 1
osv 1
cvelist 1
nvd
nvd
CVE-2024-1881
2024-06-06 19:15:51
cve
cve
CVE-2024-1881
2024-06-06 19:15:51
osv
osv
CVE-2024-1881
2024-06-06 19:15:51
cvelist
cvelist
CVE-2024-1881 Improper Neutralization of Special Elements used in an OS Command in significant-gravitas/autogpt
2024-06-06 18:19:08

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.8

Confidence

High

SSVC

Exploitation

poc

Automatable

no

Technical Impact

total

JSON
Related for VULNRICHMENT:CVE-2024-1881
nvd1cve1osv1cvelist1