Vulnerabilities > CVE-2024-5186 - Server-Side Request Forgery (SSRF) vulnerability in Zylon Privategpt 0.5.0

047910
CVSS 8.6 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE
network
low complexity
zylon
CWE-918

Summary

A Server-Side Request Forgery (SSRF) vulnerability exists in the file upload section of imartinez/privategpt version 0.5.0. This vulnerability allows attackers to send crafted requests that could result in unauthorized access to the local network and potentially sensitive information. Specifically, by manipulating the 'path' parameter in a file upload request, an attacker can cause the application to make arbitrary requests to internal services, including the AWS metadata endpoint. This issue could lead to the exposure of internal servers and sensitive data.

Vulnerable Configurations

Part Description Count
Application
Zylon
1

Common Weakness Enumeration (CWE)