CVE-2024-5186 HIGH

CVE-2024-5186: Server Side Request Forgery (SSRF) in imartinez/privategpt

Vendor Imartinez
Product imartinez/privategpt
Weakness CWE-918 · SSRF
Published June 6, 2024
Last update August 1, 2024

CVSS base score

8.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

A Server-Side Request Forgery (SSRF) vulnerability exists in the file upload section of imartinez/privategpt version 0.5.0. This vulnerability allows attackers to send crafted requests that could result in unauthorized access to the local network and potentially sensitive information. Specifically, by manipulating the 'path' parameter in a file upload request, an attacker can cause the application to make arbitrary requests to internal services, including the AWS metadata endpoint. This issue could lead to the exposure of internal servers and sensitive data.

Key dates

02Disclosure timeline

June 6, 2024 CVE published
August 1, 2024 Record updated