CVE-2024-5186

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-5186

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-5186.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-5186

Published

2024-06-06T19:16:05.860Z

Modified

2026-03-14T12:38:28.020334Z

Severity

7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

A Server-Side Request Forgery (SSRF) vulnerability exists in the file upload section of imartinez/privategpt version 0.5.0. This vulnerability allows attackers to send crafted requests that could result in unauthorized access to the local network and potentially sensitive information. Specifically, by manipulating the 'path' parameter in a file upload request, an attacker can cause the application to make arbitrary requests to internal services, including the AWS metadata endpoint. This issue could lead to the exposure of internal servers and sensitive data.

References

https://huntr.com/bounties/5f421645-3546-4a67-a421-ee1bc4b6e3a3

Affected packages

Git / github.com/zylon-ai/private-gpt

Affected ranges

Type

GIT

Repo

https://github.com/zylon-ai/private-gpt

Events

Introduced

Last affected

94ef38cbba8fe5e406eb192efafe774b9aadb564

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.5.0"
        }
    ]
}

Affected versions

v0.*

v0.0.1

v0.0.2

v0.1.0

v0.2.0

v0.3.0

v0.4.0

v0.5.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-5186.json"