Search

Find a vulnerability

Search criteria

    2 vulnerabilities by Zylon

    CVE-2025-4515 (GCVE-0-2025-4515)

    Vulnerability from nvd – Published: 2025-05-10 20:31 – Updated: 2025-05-12 14:39
    VLAI
    Title
    Zylon PrivateGPT settings.yaml cross-domain policy
    Summary
    A vulnerability, which was classified as problematic, was found in Zylon PrivateGPT up to 0.6.2. This affects an unknown part of the file settings.yaml. The manipulation of the argument allow_origins leads to permissive cross-domain policy with untrusted domains. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-942 - Permissive Cross-domain Policy with Untrusted Domains
    • CWE-346 - Origin Validation Error
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.308235 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.308235 signaturepermissions-required
    https://vuldb.com/?submit.564451 third-party-advisory
    https://gist.github.com/superboy-zjc/2a727cb0c1d4… exploit
    Impacted products
    Vendor Product Version
    Zylon PrivateGPT Affected: 0.6.0
    Affected: 0.6.1
    Affected: 0.6.2
    Create a notification for this product.
    Credits
    Jiacheng Gavin Zhong Zhengyu Liu Gavin Zhong (VulDB User) Gavin Zhong (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-4515",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-12T14:39:38.291533Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-12T14:39:41.539Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://gist.github.com/superboy-zjc/2a727cb0c1d468f21a91e0416d006ffe"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "PrivateGPT",
              "vendor": "Zylon",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.6.0"
                },
                {
                  "status": "affected",
                  "version": "0.6.1"
                },
                {
                  "status": "affected",
                  "version": "0.6.2"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jiacheng Gavin Zhong"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Zhengyu Liu"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Gavin Zhong (VulDB User)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Gavin Zhong (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability, which was classified as problematic, was found in Zylon PrivateGPT up to 0.6.2. This affects an unknown part of the file settings.yaml. The manipulation of the argument allow_origins leads to permissive cross-domain policy with untrusted domains. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
            },
            {
              "lang": "de",
              "value": "Es wurde eine problematische Schwachstelle in Zylon PrivateGPT bis 0.6.2 gefunden. Es betrifft eine unbekannte Funktion der Datei settings.yaml. Durch Manipulation des Arguments allow_origins mit unbekannten Daten kann eine permissive cross-domain policy with untrusted domains-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 5,
                "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-942",
                  "description": "Permissive Cross-domain Policy with Untrusted Domains",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-346",
                  "description": "Origin Validation Error",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-10T20:31:04.532Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-308235 | Zylon PrivateGPT settings.yaml cross-domain policy",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.308235"
            },
            {
              "name": "VDB-308235 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.308235"
            },
            {
              "name": "Submit #564451 | PrivateGPT 0.6.2 CWE-942: Permissive Cross-domain Policy with Untrusted Domains",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.564451"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://gist.github.com/superboy-zjc/2a727cb0c1d468f21a91e0416d006ffe"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-05-09T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-05-09T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-05-09T23:52:11.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Zylon PrivateGPT settings.yaml cross-domain policy"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-4515",
        "datePublished": "2025-05-10T20:31:04.532Z",
        "dateReserved": "2025-05-09T14:54:41.437Z",
        "dateUpdated": "2025-05-12T14:39:41.539Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-4515 (GCVE-0-2025-4515)

    Vulnerability from cvelistv5 – Published: 2025-05-10 20:31 – Updated: 2025-05-12 14:39
    VLAI
    Title
    Zylon PrivateGPT settings.yaml cross-domain policy
    Summary
    A vulnerability, which was classified as problematic, was found in Zylon PrivateGPT up to 0.6.2. This affects an unknown part of the file settings.yaml. The manipulation of the argument allow_origins leads to permissive cross-domain policy with untrusted domains. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-942 - Permissive Cross-domain Policy with Untrusted Domains
    • CWE-346 - Origin Validation Error
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.308235 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.308235 signaturepermissions-required
    https://vuldb.com/?submit.564451 third-party-advisory
    https://gist.github.com/superboy-zjc/2a727cb0c1d4… exploit
    Impacted products
    Vendor Product Version
    Zylon PrivateGPT Affected: 0.6.0
    Affected: 0.6.1
    Affected: 0.6.2
    Create a notification for this product.
    Credits
    Jiacheng Gavin Zhong Zhengyu Liu Gavin Zhong (VulDB User) Gavin Zhong (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-4515",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-12T14:39:38.291533Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-12T14:39:41.539Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://gist.github.com/superboy-zjc/2a727cb0c1d468f21a91e0416d006ffe"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "PrivateGPT",
              "vendor": "Zylon",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.6.0"
                },
                {
                  "status": "affected",
                  "version": "0.6.1"
                },
                {
                  "status": "affected",
                  "version": "0.6.2"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jiacheng Gavin Zhong"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Zhengyu Liu"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Gavin Zhong (VulDB User)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Gavin Zhong (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability, which was classified as problematic, was found in Zylon PrivateGPT up to 0.6.2. This affects an unknown part of the file settings.yaml. The manipulation of the argument allow_origins leads to permissive cross-domain policy with untrusted domains. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
            },
            {
              "lang": "de",
              "value": "Es wurde eine problematische Schwachstelle in Zylon PrivateGPT bis 0.6.2 gefunden. Es betrifft eine unbekannte Funktion der Datei settings.yaml. Durch Manipulation des Arguments allow_origins mit unbekannten Daten kann eine permissive cross-domain policy with untrusted domains-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 5,
                "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-942",
                  "description": "Permissive Cross-domain Policy with Untrusted Domains",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-346",
                  "description": "Origin Validation Error",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-10T20:31:04.532Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-308235 | Zylon PrivateGPT settings.yaml cross-domain policy",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.308235"
            },
            {
              "name": "VDB-308235 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.308235"
            },
            {
              "name": "Submit #564451 | PrivateGPT 0.6.2 CWE-942: Permissive Cross-domain Policy with Untrusted Domains",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.564451"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://gist.github.com/superboy-zjc/2a727cb0c1d468f21a91e0416d006ffe"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-05-09T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-05-09T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-05-09T23:52:11.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Zylon PrivateGPT settings.yaml cross-domain policy"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-4515",
        "datePublished": "2025-05-10T20:31:04.532Z",
        "dateReserved": "2025-05-09T14:54:41.437Z",
        "dateUpdated": "2025-05-12T14:39:41.539Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }