Vulnerability Description
imartinez/privategpt version 0.2.0 is vulnerable to a local file inclusion vulnerability that allows attackers to read arbitrary files from the filesystem. By manipulating file upload functionality to ingest arbitrary local files, attackers can exploit the 'Search in Docs' feature or query the AI to retrieve or disclose the contents of any file on the system. This vulnerability could lead to various impacts, including but not limited to remote code execution by obtaining private SSH keys, unauthorized access to private files, source code disclosure facilitating further attacks, and exposure of configuration files.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pribai | Privategpt | >= 0.2.0, < 0.6.0 |
Related Weaknesses (CWE)
References
- https://huntr.com/bounties/7431d1dd-f014-4d4f-acb6-f97369ef3688ExploitThird Party Advisory
- https://huntr.com/bounties/7431d1dd-f014-4d4f-acb6-f97369ef3688ExploitThird Party Advisory
FAQ
What is CVE-2024-3403?
CVE-2024-3403 is a vulnerability with a CVSS score of 7.5 (HIGH). imartinez/privategpt version 0.2.0 is vulnerable to a local file inclusion vulnerability that allows attackers to read arbitrary files from the filesystem. By manipulating file upload functionality to...
How severe is CVE-2024-3403?
CVE-2024-3403 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-3403?
Check the references section above for vendor advisories and patch information. Affected products include: Pribai Privategpt.