CVE-2024-3234

2024-06-0619:16:01

CWE-22

@huntr_ai

web.nvd.nist.gov

chuanhuchatgpt

unauthorized access

path traversal

sensitive files

outdated component

web_assets

cve-2024-3234

nvd

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

6.7

Confidence

Low

EPSS

0.077

Percentile

94.3%

JSON

The gaizhenbiao/chuanhuchatgpt application is vulnerable to a path traversal attack due to its use of an outdated gradio component. The application is designed to restrict user access to resources within the web_assets folder. However, the outdated version of gradio it employs is susceptible to path traversal, as identified in CVE-2023-51449. This vulnerability allows unauthorized users to bypass the intended restrictions and access sensitive files, such as config.json, which contains API keys. The issue affects the latest version of chuanhuchatgpt prior to the fixed version released on 20240305.

Affected configurations

Nvd

Node

gaizhenbiaochuanhuchatgptRange<20240305

VendorProductVersionCPE
gaizhenbiaochuanhuchatgpt*cpe:2.3:a:gaizhenbiao:chuanhuchatgpt:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
gaizhenbiao	chuanhuchatgpt	*	cpe:2.3:a:gaizhenbiao:chuanhuchatgpt::::::::

CNA Affected

[
  {
    "vendor": "gaizhenbiao",
    "product": "gaizhenbiao/chuanhuchatgpt",
    "versions": [
      {
        "version": "unspecified",
        "lessThan": " 20240305",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  }
]