Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-5186

A Server-Side Request Forgery (SSRF) vulnerability exists in the file upload section of imartinez/privategpt version 0.5.0. This vulnerability allows attackers to send crafted requests that could result in unauthorized access to the local network and potentially sensitive information. Specifically, by manipulating the 'path' parameter in a file upload request, an attacker can cause the application to make arbitrary requests to internal services, including the AWS metadata endpoint. This issue could lead to the exposure of internal servers and sensitive data.

Published

2024-06-06T19:16:05.860

Last Modified

2025-05-19T16:49:21.883

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 7.2 (HIGH)

Weaknesses

Type: Secondary
CWE-918
Type: Primary
CWE-918

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	pribai	privategpt	0.5.0	Yes

References

https://huntr.com/bounties/5f421645-3546-4a67-a421-ee1bc4b6e3a3 Exploit, Third Party Advisory ([email protected])
https://huntr.com/bounties/5f421645-3546-4a67-a421-ee1bc4b6e3a3 Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)