{"id":"GHSA-3248-f932-c76p","summary":"DB-GPT vulnerable to Cross-Site Request Forgery","details":"In version 0.6.0 of eosphoros-ai/db-gpt, the `uvicorn` app created by `dbgpt_server` uses an overly permissive instance of `CORSMiddleware` which sets the `Access-Control-Allow-Origin` to `*` for all requests. This configuration makes all endpoints exposed by the server vulnerable to Cross-Site Request Forgery (CSRF). An attacker can exploit this vulnerability to interact with any endpoints of the instance, even if the instance is not publicly exposed to the network.","aliases":["CVE-2024-10906"],"modified":"2025-03-21T16:43:08.586755Z","published":"2025-03-20T12:32:40Z","database_specific":{"severity":"HIGH","nvd_published_at":"2025-03-20T10:15:21Z","cwe_ids":["CWE-352"],"github_reviewed":true,"github_reviewed_at":"2025-03-21T16:15:55Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-10906"},{"type":"PACKAGE","url":"https://github.com/eosphoros-ai/DB-GPT"},{"type":"WEB","url":"https://github.com/eosphoros-ai/DB-GPT/blob/f5de05b2636bc0628b3a92d32b22a26f88a18f2a/dbgpt/app/dbgpt_server.py#L240"},{"type":"WEB","url":"https://huntr.com/bounties/8864aca5-a342-4dab-b866-b2882ba6f160"}],"affected":[{"package":{"name":"dbgpt","ecosystem":"PyPI","purl":"pkg:pypi/dbgpt"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"0.6.0"}]}],"versions":["0.4.7","0.5.0","0.5.1","0.5.10","0.5.1rc0","0.5.2","0.5.2rc0","0.5.3","0.5.3rc0","0.5.4","0.5.4rc0","0.5.5","0.5.5rc0","0.5.6","0.5.6rc0","0.5.7","0.5.7rc0","0.5.8","0.5.9","0.5.9rc0"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-3248-f932-c76p/GHSA-3248-f932-c76p.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L"}]}