CVE-2024-5186

Source
https://cve.org/CVERecord?id=CVE-2024-5186
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-5186.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-5186
Published
2024-06-06T18:19:57.023Z
Modified
2026-07-15T01:49:03.914975546Z
Severity
  • 8.3 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS Calculator
Summary
Server Side Request Forgery (SSRF) in imartinez/privategpt
Details

A Server-Side Request Forgery (SSRF) vulnerability exists in the file upload section of imartinez/privategpt version 0.5.0. This vulnerability allows attackers to send crafted requests that could result in unauthorized access to the local network and potentially sensitive information. Specifically, by manipulating the 'path' parameter in a file upload request, an attacker can cause the application to make arbitrary requests to internal services, including the AWS metadata endpoint. This issue could lead to the exposure of internal servers and sensitive data.

Database specific
{
    "cwe_ids": [
        "CWE-918"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/5xxx/CVE-2024-5186.json",
    "cna_assigner": "@huntr_ai"
}
References

Affected packages

Git / github.com/zylon-ai/private-gpt

Affected ranges

Type
GIT
Repo
https://github.com/zylon-ai/private-gpt
Events
Database specific
{
    "cpe": "cpe:2.3:a:pribai:privategpt:0.5.0:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0.5.0"
        },
        {
            "last_affected": "0.5.0"
        }
    ],
    "source": "CPE_STRING"
}

Affected versions

0.*
0.5.0
v0.*
v0.5.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-5186.json"