{"id":"GHSA-3864-rp2m-2qfj","summary":"libre-chat Path Traversal vulnerability","details":"An issue in the upload_documents method of libre-chat v0.0.6 allows attackers to execute a path traversal via supplying a crafted filename in an uploaded file.","aliases":["CVE-2024-52787"],"modified":"2024-11-27T19:46:16.463130Z","published":"2024-11-25T18:33:26Z","database_specific":{"severity":"MODERATE","github_reviewed_at":"2024-11-25T19:43:23Z","cwe_ids":["CWE-22"],"nvd_published_at":"2024-11-25T18:15:13Z","github_reviewed":true},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52787"},{"type":"WEB","url":"https://github.com/vemonet/libre-chat/issues/10"},{"type":"WEB","url":"https://github.com/vemonet/libre-chat/pull/9"},{"type":"WEB","url":"https://github.com/vemonet/libre-chat/commit/dbb8e3400e5258112179783d74c9cc54310cb72b"},{"type":"WEB","url":"https://gist.github.com/jxfzzzt/276a6e8cfbc54d2c2711bb51d8d3dff3"},{"type":"PACKAGE","url":"https://github.com/vemonet/libre-chat"}],"affected":[{"package":{"name":"libre-chat","ecosystem":"PyPI","purl":"pkg:pypi/libre-chat"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"0.0.6"}]}],"versions":["0.0.4","0.0.6"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-3864-rp2m-2qfj/GHSA-3864-rp2m-2qfj.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"}]}