CVE-2024-1879

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-1879

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-1879.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-1879

Published

2024-06-06T18:15:12Z

Modified

2025-01-15T05:05:19.576908Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

A Cross-Site Request Forgery (CSRF) vulnerability in significant-gravitas/autogpt version v0.5.0 allows attackers to execute arbitrary commands on the AutoGPT server. The vulnerability stems from the lack of protections on the API endpoint receiving instructions, enabling an attacker to direct a user running AutoGPT in their local network to a malicious website. This site can then send crafted requests to the AutoGPT server, leading to command execution. The issue is exacerbated by CORS being enabled for arbitrary origins by default, allowing the attacker to read the response of all cross-site queries. This vulnerability was addressed in version 5.1.

References

Affected packages

Git / github.com/significant-gravitas/autogpt

Affected ranges

Type: GIT
Repo: https://github.com/significant-gravitas/autogpt
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

26324f29849967fa72c207da929af612f1740669

Fixed

26324f29849967fa72c207da929af612f1740669

Affected versions

agbenchmark-v0.*

agbenchmark-v0.0.10

autogpt-v0.*

autogpt-v0.5.0

v0.*

v0.1.0

v0.1.1

v0.1.2

v0.1.3

v0.2.0

v0.2.1

v0.2.2

v0.3.0

v0.3.1

v0.4.0

v0.4.1

v0.4.2

v0.4.3

v0.4.3-alpha

v0.4.4

v0.4.5