CVE-2023-37275

Published: Jul 13, 2023

Modified: Oct 22, 2024

PUBLISHED

CVSS v3.1

3.1

LOW

Description

Auto-GPT is an experimental open-source application showcasing the capabilities of the GPT-4 language model. The Auto-GPT command line UI makes heavy use of color-coded print statements to signify different types of system messages to the user, including messages that are crucial for the user to review and control which commands should be executed. Before v0.4.3, it was possible for a malicious external resource (such as a website browsed by Auto-GPT) to cause misleading messages to be printed to the console by getting the LLM to regurgitate JSON encoded ANSI escape sequences (`\u001b[`). These escape sequences were JSON decoded and printed to the console as part of the model's "thinking process". The issue has been patched in release version 0.4.3.

Vendor	Product	Versions
Significant-Gravitas	Auto-GPT	affected `< 0.4.3`

Weaknesses (CWE)

CWE-117

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

References

https://github.com/Significant-Gravitas/Auto-GPT/security/advisories/GHSA-r7f7-qrrv-3fjh

x_refsource_CONFIRM

https://github.com/Significant-Gravitas/Auto-GPT/pull/4810

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-37275

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References