Strix
26.1K

CVE-2024-10948

MEDIUMCVSS 6.5/10EPSS 0.77%

Last modified

CVE-2024-10948 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. A vulnerability in the upload function of binary-husky/gpt_academic allows any user to read arbitrary files on the system, including sensitive files such as `config.py`. This issue affects the latest version of the product. EPSS estimates a 0.77% chance of exploitation in the next 30 days.

Description

A vulnerability in the upload function of binary-husky/gpt_academic allows any user to read arbitrary files on the system, including sensitive files such as `config.py`. This issue affects the latest version of the product. An attacker can exploit this vulnerability by intercepting the websocket request during file upload and replacing the file path with the path of the file they wish to read. The server then copies the file to the `private_upload` folder and provides the path to the copied file, which can be accessed via a GET request. This vulnerability can lead to the exposure of sensitive system files, potentially including credentials, configuration files, or sensitive user data.

Metrics

CVSS 3.0
6.5/10

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Probability
0.77%

51.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
Binary-HuskyGpt Academic3.83

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2024-10948?
A vulnerability in the upload function of binary-husky/gpt_academic allows any user to read arbitrary files on the system, including sensitive files such as `config.py`. This issue affects the latest version of the product. An attacker can exploit this vulnerability by intercepting the websocket request during file upload and replacing the file path with the path of the file they wish to read. The server then copies the file to the `private_upload` folder and provides the path to the copied file, which can be accessed via a GET request. This vulnerability can lead to the exposure of sensitive system files, potentially including credentials, configuration files, or sensitive user data.
How severe is CVE-2024-10948?
CVE-2024-10948 has a CVSS score of 6.5/10 (MEDIUM severity). The EPSS model estimates a 0.77% probability of exploitation in the next 30 days.
How do I fix CVE-2024-10948?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-10948?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST