Eosphoros AI DB-GPT SQL Injection Vulnerability
Vulnerability
A SQL injection vulnerability has been identified in Eosphoros AI DB-GPT version 0.7.0. This issue allows remote attackers to execute arbitrary SQL statements by sending crafted input to the '/v1/editor/sql/run' or '/v1/editor/chart/run' endpoints. The vulnerability arises because user-provided SQL is executed without proper parameterization, leaving all database types except DuckDB completely unprotected.
Impact
Exploitation of this vulnerability allows for arbitrary SQL execution on any connected database, including MySQL and PostgreSQL. This could lead to unauthorized data access, modification, deletion, or extraction of sensitive information.
Reproduction
The vulnerability can be reproduced by sending a POST request to the '/v1/editor/sql/run' or '/v1/editor/chart/run' endpoints with crafted SQL input. For non-DuckDB databases, the SQL injection bypasses any existing protections. DuckDB injections can also be performed by obfuscating the SQL to evade blacklist filters.
Remediation
Users are advised to update to the patched version of DB-GPT, which is available in the project's GitHub repository.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.