CVE-2024-1881

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-1881
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-1881.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-1881
Published
2024-06-06T19:15:51Z
Modified
2025-01-08T15:30:58.589989Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

AutoGPT, a component of significant-gravitas/autogpt, is vulnerable to an improper neutralization of special elements used in an OS command ('OS Command Injection') due to a flaw in its shell command validation function. Specifically, the vulnerability exists in versions v0.5.0 up to but not including 5.1.0. The issue arises from the application's method of validating shell commands against an allowlist or denylist, where it only checks the first word of the command. This allows an attacker to bypass the intended restrictions by crafting commands that are executed despite not being on the allowlist or by including malicious commands not present in the denylist. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary shell commands.

References

Affected packages

Git / github.com/significant-gravitas/autogpt

Affected ranges

Type
GIT
Repo
https://github.com/significant-gravitas/autogpt
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed

Affected versions

agbenchmark-v0.*

agbenchmark-v0.0.10

autogpt-v0.*

autogpt-v0.5.0

v0.*

v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.2.0
v0.2.1
v0.2.2
v0.3.0
v0.3.1
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.4.3-alpha
v0.4.4
v0.4.5