CVE-2024-10906

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-10906

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-10906.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-10906

Aliases

GHSA-3248-f932-c76p

Published

2025-03-20T10:15:21.233Z

Modified

2025-11-20T12:23:10.358231Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H CVSS Calculator

Summary

[none]

Details

In version 0.6.0 of eosphoros-ai/db-gpt, the uvicorn app created by dbgpt_server uses an overly permissive instance of CORSMiddleware which sets the Access-Control-Allow-Origin to * for all requests. This configuration makes all endpoints exposed by the server vulnerable to Cross-Site Request Forgery (CSRF). An attacker can exploit this vulnerability to interact with any endpoints of the instance, even if the instance is not publicly exposed to the network.

References

https://huntr.com/bounties/8864aca5-a342-4dab-b866-b2882ba6f160

Affected packages

Git / github.com/eosphoros-ai/db-gpt

Affected ranges

Type: GIT
Repo: https://github.com/eosphoros-ai/db-gpt
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

b34295562924046c229f0fd424ac3c7b54b7ecc8

Affected versions

0.*

0.4.1

v0.*

v0.0.1

v0.0.2

v0.0.3

v0.0.4-alpha

v0.0.5-beta

v0.0.6

v0.0.7

v0.1.0

v0.1.1

v0.2.0

v0.2.1

v0.2.2

v0.2.3

v0.3.0

v0.3.1

v0.3.2

v0.3.3

v0.3.4

v0.3.5

v0.3.6

v0.3.7

v0.3.8

v0.3.9

v0.4.0

v0.4.2

v0.4.3

v0.4.4

v0.4.5

v0.4.6

v0.4.7

v0.5.0

v0.5.1

v0.5.10

v0.5.2

v0.5.3

v0.5.4

v0.5.5

v0.5.6

v0.5.7

v0.5.8

v0.5.9

v0.6.0