SSRF Vulnerability in File Upload Section of privategpt version 0.5.0
CVE-2024-5186

7.2HIGH

Key Information:

Vendor: Imartinez
Status: Imartinez/privategpt
Vendor: CVE Published:; 6 June 2024

What is CVE-2024-5186?

A Server-Side Request Forgery (SSRF) vulnerability is present in the file upload functionality of the imartinez/privategpt software. Attackers can exploit this vulnerability by manipulating the 'path' parameter during the file upload process, enabling them to send crafted requests and gain unauthorized access to services within the local network. This could potentially lead to the exposure of sensitive data, including access to critical internal servers and AWS metadata endpoints, thus posing a significant risk to the security of the affected systems.

Affected Version(s)

imartinez/privategpt <= unspecified

References

https://huntr.com/bounties/5f421645-3546-4a67-a421-ee1bc4...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 6, 2024
Vulnerability Reserved
May 21, 2024

Imartinez

What is CVE-2024-5186?

Affected Version(s)

References

CVSS V3.1

Timeline