What is the severity of CVE-2024-5186?

CVE-2024-5186 has a high severity due to its potential for unauthorized network access.

How do I fix CVE-2024-5186?

To fix CVE-2024-5186, upgrade to a patched version of imartinez/privategpt if available, and ensure proper input validation in the file upload section.

What systems are affected by CVE-2024-5186?

CVE-2024-5186 affects version 0.5.0 of imartinez/privategpt.

What kind of attacks can exploit CVE-2024-5186?

CVE-2024-5186 can be exploited via crafted requests that manipulate the file upload process to disclose sensitive information.

Is CVE-2024-5186 being actively exploited in the wild?

As of now, there is no public indication that CVE-2024-5186 is being actively exploited in the wild.

Vulnerability/
CVE-2024-5186

high

8.6

CWE

918

EPSS

0.043%

6/6/2024

21/11/2024

CVE-2024-5186: Server Side Request Forgery (SSRF) in imartinez/privategpt

First published: Thu Jun 06 2024(Updated: )

A Server-Side Request Forgery (SSRF) vulnerability exists in the file upload section of imartinez/privategpt version 0.5.0. This vulnerability allows attackers to send crafted requests that could result in unauthorized access to the local network and potentially sensitive information. Specifically, by manipulating the 'path' parameter in a file upload request, an attacker can cause the application to make arbitrary requests to internal services, including the AWS metadata endpoint. This issue could lead to the exposure of internal servers and sensitive data.

Credit: security@huntr.dev

Affected Software	Affected Version	How to fix
Zylon PrivateGPT	=0.5.0

Never miss a vulnerability like this again

Reference Links

https://huntr.com/bounties/5f421645-3546-4a67-a421-ee1bc4b6e3a3

Frequently Asked Questions

What is the severity of CVE-2024-5186?
CVE-2024-5186 has a high severity due to its potential for unauthorized network access.
How do I fix CVE-2024-5186?
To fix CVE-2024-5186, upgrade to a patched version of imartinez/privategpt if available, and ensure proper input validation in the file upload section.
What systems are affected by CVE-2024-5186?
CVE-2024-5186 affects version 0.5.0 of imartinez/privategpt.
What kind of attacks can exploit CVE-2024-5186?
CVE-2024-5186 can be exploited via crafted requests that manipulate the file upload process to disclose sensitive information.
Is CVE-2024-5186 being actively exploited in the wild?
As of now, there is no public indication that CVE-2024-5186 is being actively exploited in the wild.

agent/weakness
agent/references
agent/title
agent/type
agent/description
agent/first-publish-date
agent/author
agent/event
collector/epss-latest
source/FIRST
agent/epss
collector/mitre-cve
source/MITRE
agent/severity
agent/last-modified-date
agent/source
agent/tags
agent/softwarecombine
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/software-canonical-lookup-request
vendor/zylon
canonical/zylon privategpt
version/zylon privategpt/0.5.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.