PYSEC-2024-9

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/metagpt/PYSEC-2024-9.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2024-9

Aliases

CVE-2024-23750
GHSA-g7ph-8423-pf4j

Published

2024-01-22T01:15:00Z

Modified

2024-01-22T21:56:41.084725Z

Summary

[none]

Details

MetaGPT through 0.6.4 allows the QaEngineer role to execute arbitrary code because RunCode.run_script() passes shell metacharacters to subprocess.Popen.

References

https://github.com/geekan/MetaGPT/issues/731

Affected packages

PyPI / metagpt

Package

Name: metagpt; View open source insights on deps.dev
Purl: pkg:pypi/metagpt

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.6.5

Affected versions

0.*

0.1

0.3.0

0.4.0

0.5.0

0.5.1

0.5.2

0.6.0

0.6.1

0.6.2

0.6.3

0.6.4

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/metagpt/PYSEC-2024-9.yaml"