GHSA-p6h7-hfj2-vmcf

Suggest an improvement
Source
https://github.com/advisories/GHSA-p6h7-hfj2-vmcf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-p6h7-hfj2-vmcf/GHSA-p6h7-hfj2-vmcf.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-p6h7-hfj2-vmcf
Aliases
  • CVE-2024-8501
Published
2025-03-20T12:32:48Z
Modified
2025-03-21T22:16:38.068856Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
AgentScope arbitrary file download vulnerability in rpc_agent_client
Details

An arbitrary file download vulnerability exists in the rpcagentclient component of modelscope/agentscope version v0.0.4. This vulnerability allows any user to download any file from the rpcagent's host by exploiting the downloadfile method. This can lead to unauthorized access to sensitive information, including configuration files, credentials, and potentially system files, which may facilitate further exploitation such as privilege escalation or lateral movement within the network.

Database specific 
{
    "nvd_published_at": "2025-03-20T10:15:42Z",
    "cwe_ids": [
        "CWE-36"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-21T21:56:53Z"
}
References

Affected packages

PyPI / agentscope

Package

Name
agentscope
View open source insights on deps.dev
Purl
pkg:pypi/agentscope

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.0.4

Affected versions

0.*

0.0.1
0.0.2
0.0.3
0.0.4