We use cookies to improve your experience on our site.
AVID-2026-R0015
Description
Cross-Site Request Forgery (CSRF) in eosphoros-ai/db-gpt (CVE-2024-10906)
Details
In version 0.6.0 of eosphoros-ai/db-gpt, the uvicorn app created by dbgpt_server uses an overly permissive instance of CORSMiddleware which sets the Access-Control-Allow-Origin to * for all requests. This configuration makes all endpoints exposed by the server vulnerable to Cross-Site Request Forgery (CSRF). An attacker can exploit this vulnerability to interact with any endpoints of the instance, even if the instance is not publicly exposed to the network.
References
Affected or Relevant Artifacts
- Developer: eosphoros-ai
- Deployer: eosphoros-ai
- Artifact Details:
| Type | Name |
|---|---|
| System | eosphoros-ai/db-gpt |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.0 |
| Vector String | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L |
| Base Score | 7.1 |
| Base Severity | 🔴 High |
| Attack Vector | NETWORK |
| Attack Complexity | 🟢 Low |
| Privileges Required | NONE |
| User Interaction | REQUIRED |
| Scope | UNCHANGED |
| Confidentiality Impact | NONE |
| Integrity Impact | 🔴 High |
| Availability Impact | 🟢 Low |
CWE
| ID | Description |
|---|---|
| CWE-352 | CWE-352 Cross-Site Request Forgery (CSRF) |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2025-03-20
- Version: 0.3.1
- AVID Entry