CVE-2024-6091
published 2024-09-11CVE-2024-6091: A vulnerability in significant-gravitas/autogpt version 0.5.1 allows an attacker to bypass the shell commands denylist settings. The issue arises when the…
PriorityP358critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.81%
52.4th percentile
A vulnerability in significant-gravitas/autogpt version 0.5.1 allows an attacker to bypass the shell commands denylist settings. The issue arises when the denylist is configured to block specific commands, such as 'whoami' and '/bin/whoami'. An attacker can circumvent this restriction by executing commands with a modified path, such as '/bin/./whoami', which is not recognized by the denylist.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| agpt | autogpt_classic | — | — |
| significant-gravitas | significant-gravitas_autogpt | >= unspecified < 0.5.1 | 0.5.1 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
AutoGPT bypass of the shell commands denylist settings
ghsa·2024-09-11
CVE-2024-6091 [CRITICAL] CWE-78 AutoGPT bypass of the shell commands denylist settings
AutoGPT bypass of the shell commands denylist settings
A vulnerability in significant-gravitas/autogpt version 0.5.1 allows an attacker to bypass the shell commands denylist settings. The issue arises when the denylist is configured to block specific commands, such as `whoami` and `/bin/whoami`. An attacker can circumvent this restriction by executing commands with a modified path, such as `/bin/./whoami`, which is not recognized by the denylist.
OSV
AutoGPT bypass of the shell commands denylist settings
osv·2024-09-11
CVE-2024-6091 [CRITICAL] AutoGPT bypass of the shell commands denylist settings
AutoGPT bypass of the shell commands denylist settings
A vulnerability in significant-gravitas/autogpt version 0.5.1 allows an attacker to bypass the shell commands denylist settings. The issue arises when the denylist is configured to block specific commands, such as `whoami` and `/bin/whoami`. An attacker can circumvent this restriction by executing commands with a modified path, such as `/bin/./whoami`, which is not recognized by the denylist.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
CWE
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
mitre_cwe
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
This weakness can lead to a vulnerability in environments in which the attacker does not have direct access to the operating system, such as in web applications. Alternately, if the weakness occurs in a privileged program, it could allow the attacker to specify commands that normally would not be accessible, or to call alternate commands with privileges that the attacker does not have. The problem is exacerbated if the compro
CWE
Path Equivalence: '/./' (Single Dot Directory)
mitre_cwe·CVSS 5.0
[MEDIUM] CWE-55 Path Equivalence: '/./' (Single Dot Directory)
CWE-55: Path Equivalence: '/./' (Single Dot Directory)
The product accepts path input in the form of single dot directory exploit ('/./') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Confidentiality, Integrity. Impact: Read Files or Directories, Modify Files or Directories.
Potential Mitigations:
[Implementation] Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by
CWE
Incomplete List of Disallowed Inputs
mitre_cwe
CWE-184 Incomplete List of Disallowed Inputs
CWE-184: Incomplete List of Disallowed Inputs
The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
Modes of Introduction:
Phase: Implementation
Note: Developers often try to protect their products against malicious input by checking against lists of known bad inputs, such as special characters that can invoke new commands. However, such lists often only address the most well-known bad inputs. As a quick fix, developers might rely on these lists instead of addressing the root cause of the issue. See [REF-141].
Phase: Architecture and Design
Note: The design might rely solely on detection of m
2024-09-11
Published