CVE-2023-37273 : Security Advisory and Response

This article provides detailed information about CVE-2023-37273, a vulnerability in the Auto-GPT application by Significant-Gravitas that can lead to code injection and potential host system compromise.

Understanding CVE-2023-37273

CVE-2023-37273 is a vulnerability in the Auto-GPT application that allows for code injection, potentially leading to control over the host system. This vulnerability affects Auto-GPT versions prior to 0.4.3.

What is CVE-2023-37273?

Auto-GPT is an experimental open-source application showcasing the capabilities of the GPT-4 language model. The vulnerability arises when executing Auto-GPT version prior to 0.4.3 from a cloned git repository using a specific docker-compose.yml file that lacks write protection. This allows malicious python code execution to compromise the host system.

The Impact of CVE-2023-37273

The impact of CVE-2023-37273 is classified as HIGH severity with a CVSS base score of 8.1. The confidentiality and integrity of the affected system are at risk, requiring low privileges to exploit the vulnerability.

Technical Details of CVE-2023-37273

The vulnerability in Auto-GPT is classified under CWE-94, involving improper control of code generation, specifically code injection. The vulnerability is rated with a CVSS v3.1 base score of 8.1 (High severity).

Vulnerability Description

The issue occurs when executing Auto-GPT version prior to 0.4.3 using a docker-compose.yml file without write protection, allowing malicious python code to overwrite the file. This can lead to host system compromise upon the next Auto-GPT startup.

Affected Systems and Versions

Auto-GPT versions prior to 0.4.3 are affected by this vulnerability, specifically when running the application from a docker-compose.yml file included in a git repository.

Exploitation Mechanism

The vulnerability can be exploited by executing malicious python code using the

execute_python_file

and

execute_python_code

commands in the Auto-GPT application, resulting in code injection and potential host system compromise.

Mitigation and Prevention

To address CVE-2023-37273, immediate mitigation steps should be taken along with the adoption of long-term security practices to prevent similar vulnerabilities in the future. Upgrading to version 0.4.3 or newer is essential to patch the vulnerability and secure the system.

Immediate Steps to Take

Immediately update Auto-GPT to version 0.4.3 to mitigate the vulnerability and enhance system security.

Long-Term Security Practices

Implement strong access controls, regular security audits, and keep software up to date to prevent future vulnerabilities in Auto-GPT and other applications.

Patching and Updates

Regularly check for updates and security patches for Auto-GPT to ensure the latest security fixes are applied to mitigate existing and potential vulnerabilities.