Home > Vulnerability Database > CVE-2024-1879

Mend.io Vulnerability Database

CVE-2024-1879

Date: June 6, 2024

A Cross-Site Request Forgery (CSRF) vulnerability in significant-gravitas/autogpt version v0.5.0 allows attackers to execute arbitrary commands on the AutoGPT server. The vulnerability stems from the lack of protections on the API endpoint receiving instructions, enabling an attacker to direct a user running AutoGPT in their local network to a malicious website. This site can then send crafted requests to the AutoGPT server, leading to command execution. The issue is exacerbated by CORS being enabled for arbitrary origins by default, allowing the attacker to read the response of all cross-site queries. This vulnerability was addressed in version 5.1.

Language: Python

Severity Score

8.8

Related Resources (4)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-1879

Url: https://huntr.com/bounties/125c2d0c-0481-4e5c-ae90-fec263acdf32

Url: https://github.com/significant-gravitas/autogpt/commit/26324f29849967fa72c207da929af612f1740669

Url: https://www.mend.io/vulnerability-database/CVE-2024-1879

Severity Score

8.8

Weakness Type (CWE)

Cross-Site Request Forgery (CSRF)

CWE-352

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-1879

Date: June 6, 2024

Language: Python

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?