Griptape
Monthly
Remote path traversal in griptape-ai griptape 0.19.4 ComputerTool allows authenticated attackers to manipulate the filename argument in griptape/tools/computer/tool.py, enabling unauthorized file access with read, write, and limited availability impact. Publicly available exploit code exists; the vendor has not responded to early disclosure notifications.
SQL injection in griptape-ai griptape 0.19.4 SqlTool allows authenticated remote attackers to manipulate SQL queries via the griptape/tools/sql/tool.py component, potentially accessing or modifying database contents. The exploit is publicly available, and the vendor has not responded to early disclosure notification.
Path traversal in griptape-ai griptape 0.19.4 FileManagerTool allows authenticated remote attackers to read, write, and delete arbitrary files on the server via specially crafted paths in load_files_from_disk, list_files_from_disk, save_content_to_file, and save_memory_artifacts_to_disk functions. Publicly available exploit code exists, CVSS 6.3 (medium), and the vendor has not responded to early disclosure notification.
Remote path traversal in griptape-ai griptape 0.19.4 ComputerTool allows authenticated attackers to manipulate the filename argument in griptape/tools/computer/tool.py, enabling unauthorized file access with read, write, and limited availability impact. Publicly available exploit code exists; the vendor has not responded to early disclosure notifications.
SQL injection in griptape-ai griptape 0.19.4 SqlTool allows authenticated remote attackers to manipulate SQL queries via the griptape/tools/sql/tool.py component, potentially accessing or modifying database contents. The exploit is publicly available, and the vendor has not responded to early disclosure notification.
Path traversal in griptape-ai griptape 0.19.4 FileManagerTool allows authenticated remote attackers to read, write, and delete arbitrary files on the server via specially crafted paths in load_files_from_disk, list_files_from_disk, save_content_to_file, and save_memory_artifacts_to_disk functions. Publicly available exploit code exists, CVSS 6.3 (medium), and the vendor has not responded to early disclosure notification.