Eosphoros AI DB-GPT Arbitrary File Write Vulnerability via Knowledge API

In Eosphoros AI DB-GPT version 0.6.0, an arbitrary file write vulnerability has been identified through the knowledge API. The issue arises in the file upload endpoint, which is vulnerable to absolute path traversal. This flaw allows attackers to write files to arbitrary locations on the server. The vulnerability is caused by the 'doc_file.filename' parameter being user-controllable, enabling the creation of absolute paths.

Impact

Exploitation of this vulnerability allows for arbitrary file writes to any location on the target server, potentially overwriting existing files or creating new ones in sensitive areas.

Reproduction

To reproduce this vulnerability, first install DB-GPT version 0.6.0. After setting up the application, create a file payload and use a tool like curl to send a POST request to the '/knowledge/something/document/upload' endpoint. Include the payload file, specifying an absolute path in the 'filename' parameter. The server will respond with an error, but the file will have been written to the specified location.