CVE-2024-3403

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-3403

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-3403.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-3403

Published

2024-05-16T09:15:14.053Z

Modified

2026-03-14T12:33:35.084242Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

imartinez/privategpt version 0.2.0 is vulnerable to a local file inclusion vulnerability that allows attackers to read arbitrary files from the filesystem. By manipulating file upload functionality to ingest arbitrary local files, attackers can exploit the 'Search in Docs' feature or query the AI to retrieve or disclose the contents of any file on the system. This vulnerability could lead to various impacts, including but not limited to remote code execution by obtaining private SSH keys, unauthorized access to private files, source code disclosure facilitating further attacks, and exposure of configuration files.

References

https://huntr.com/bounties/7431d1dd-f014-4d4f-acb6-f97369ef3688

Affected packages

Git / github.com/zylon-ai/private-gpt

Affected ranges

Type

GIT

Repo

https://github.com/zylon-ai/private-gpt

Events

Introduced

e8ac51bba4b698c8a66dfd02bda5020f4a08f0cd

Fixed

6674b46fead37b35621beefdb4fc05036591ccdf

Database specific

{
    "versions": [
        {
            "introduced": "0.2.0"
        },
        {
            "fixed": "0.6.0"
        }
    ]
}

Affected versions

Other

fix/local-setup

v0.*

v0.2.0

v0.3.0

v0.4.0

v0.5.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-3403.json"