Eosphoros AI Db-Gpt Arbitrary File Write Vulnerability

A vulnerability allowing arbitrary file write has been identified in Eosphoros AI Db-Gpt version 0.6.0. This issue resides in the RAG-knowledge endpoint, where the application improperly handles file paths. By passing an absolute path to the 'doc_file.filename' parameter, an attacker can write files to arbitrary locations on the server. This could lead to overwriting critical system files or adding new entries to SSH key configurations.

Impact

Exploitation of this vulnerability allows for arbitrary file writing with user-supplied data, which can be used to overwrite system files or, for instance, create new SSH key entries.

Reproduction

To reproduce this vulnerability, first install Db-Gpt version 0.6.0. After setting up the application, create a 'knowledge space' through the API. Once the space is established, send a request to the 'documents' endpoint, including a file payload and specifying an absolute path in the 'doc_file.filename' field. This will trigger the vulnerability by writing the file to the designated location on the server.

Remediation

Users are advised to update to the patched version of Db-Gpt, where this vulnerability has been addressed.