How severe is CVE-2024-1881?

This vulnerability has a severity rating of HIGH with a CVSS score of 8.8 out of 10.

What type of vulnerability is CVE-2024-1881?

This is classified as CWE-78, which is a common weakness in software security.

CVE-2024-1881 - HIGH Severity | CVSS 8.8

Vulnerability Description

AutoGPT, a component of significant-gravitas/autogpt, is vulnerable to an improper neutralization of special elements used in an OS command ('OS Command Injection') due to a flaw in its shell command validation function. Specifically, the vulnerability exists in versions v0.5.0 up to but not including 5.1.0. The issue arises from the application's method of validating shell commands against an allowlist or denylist, where it only checks the first word of the command. This allows an attacker to bypass the intended restrictions by crafting commands that are executed despite not being on the allowlist or by including malicious commands not present in the denylist. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary shell commands.

Related Vulnerabilities

CVE-2011-3178

HIGH

CVSS:8.8(High)

In the web ui of the openbuildservice before 2.3.0 a code injection of the project rebuildtimes statistics could be used by authorized attackers to execute shellcode.

CWE-782011

CVE-2012-4981

HIGH

CVSS:8.8(High)

Toshiba ConfigFree 8.0.38 has a CF7 File Remote Command Execution Vulnerability

CWE-782012

CVE-2012-5693

HIGH

CVSS:8.8(High)

Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allows remote attackers to execute arbitrary commands via shell metacharacters in the ipAddressTB parameter to (1) remoteAttack.pl or (2) ...

CWE-782012

CVE-2012-6610

HIGH

CVSS:8.8(High)

Polycom HDX Video End Points before 3.0.4 and UC APL before 2.7.1.J allows remote authenticated users to execute arbitrary commands as demonstrated by a ; (semicolon) to the ping command feature.

CWE-782012

CVE-2013-1598

HIGH

CVSS:8.8(High)

A Command Injection vulnerability exists in Vivotek PT7135 IP Cameras 0300a and 0400a via the system.ntp parameter to the farseer.out binary file, which cold let a malicious user execute arbitrary cod...

CWE-782013

CVE-2013-2024

HIGH

CVSS:8.8(High)

OS command injection vulnerability in the "qs" procedure from the "utils" module in Chicken before 4.9.0.

CWE-782013