Medium

gpt_academic

Arbitrary File Read via Upload Function

A vulnerability in the latest version of the software allows any user to read any file on the system, including sensitive files like `config.py`. The issue has not yet been patched.

Available publicly on Dec 31 2024

6.5

CVE:

CVE-2024-10948

CWE:

22:Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSS:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Credit:

dtai261
AssessDetect

Unavailable

Remediate
Remediation Steps
  1. Validate and sanitize the file paths provided in the WebSocket requests to ensure they do not point to sensitive system files.
  2. Implement proper access controls to restrict access to the upload function and the files it handles.
  3. Regularly update and patch the software to address known vulnerabilities.
  4. Conduct security audits and code reviews to identify and fix potential security issues.
  5. Monitor and log file access activities to detect and respond to suspicious behavior.
Patch Details
  • Fixed Version: N/A
  • Patch Commit: N/A
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.