### [CVE-2024-6091](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6091)
![](https://img.shields.io/static/v1?label=Product&message=significant-gravitas%2Fautogpt&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=unspecified%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-78%20Improper%20Neutralization%20of%20Special%20Elements%20used%20in%20an%20OS%20Command&color=brightgreen)

### Description

A vulnerability in significant-gravitas/autogpt version 0.5.1 allows an attacker to bypass the shell commands denylist settings. The issue arises when the denylist is configured to block specific commands, such as 'whoami' and '/bin/whoami'. An attacker can circumvent this restriction by executing commands with a modified path, such as '/bin/./whoami', which is not recognized by the denylist.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/rahg0/python-intentionally-vuln-package
- https://github.com/rahg0/python-weather-app
- https://github.com/rahg0/python-weather-app-with-pipenv