Vulnerability Description
AutoGPT, a component of significant-gravitas/autogpt, is vulnerable to an improper neutralization of special elements used in an OS command ('OS Command Injection') due to a flaw in its shell command validation function. Specifically, the vulnerability exists in versions v0.5.0 up to but not including 5.1.0. The issue arises from the application's method of validating shell commands against an allowlist or denylist, where it only checks the first word of the command. This allows an attacker to bypass the intended restrictions by crafting commands that are executed despite not being on the allowlist or by including malicious commands not present in the denylist. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary shell commands.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Agpt | Autogpt Classic | >= 0.5.0, < 0.5.1 |
Related Weaknesses (CWE)
References
- https://github.com/significant-gravitas/autogpt/commit/26324f29849967fa72c207da9Patch
- https://huntr.com/bounties/416c4a8b-36ba-4bbc-850a-a2f978b0fac8Third Party Advisory
- https://github.com/significant-gravitas/autogpt/commit/26324f29849967fa72c207da9Patch
- https://huntr.com/bounties/416c4a8b-36ba-4bbc-850a-a2f978b0fac8Third Party Advisory
FAQ
What is CVE-2024-1881?
CVE-2024-1881 is a vulnerability with a CVSS score of 9.8 (CRITICAL). AutoGPT, a component of significant-gravitas/autogpt, is vulnerable to an improper neutralization of special elements used in an OS command ('OS Command Injection') due to a flaw in its shell command ...
How severe is CVE-2024-1881?
CVE-2024-1881 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2024-1881?
Check the references section above for vendor advisories and patch information. Affected products include: Agpt Autogpt Classic.