CVE-2024-3403

Name of the Vulnerable Software and Affected Versions imartinez/privategpt version 0.2.0

Description The issue allows attackers to read arbitrary files from the filesystem by exploiting a local file inclusion vulnerability. This can be achieved by manipulating file upload functionality to ingest arbitrary local files, which can then be retrieved or disclosed through the 'Search in Docs' feature or by querying the AI. Potential impacts include remote code execution, unauthorized access to private files, source code disclosure, and exposure of configuration files.

Recommendations For imartinez/privategpt version 0.2.0, as a temporary workaround, consider disabling the file upload functionality and restricting access to the 'Search in Docs' feature until a patch is available. Avoid using the AI query feature to retrieve or disclose local files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.