CVE-2024-3234

2024-06-0619:16:01

Google

osv.dev

path traversal

vulnerability

outdated component

access restriction

sensitive files

api keys

fixed version

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

6.4 Medium

AI Score

Confidence

Low

0.031 Low

EPSS

Percentile

91.1%

JSON

The gaizhenbiao/chuanhuchatgpt application is vulnerable to a path traversal attack due to its use of an outdated gradio component. The application is designed to restrict user access to resources within the web_assets folder. However, the outdated version of gradio it employs is susceptible to path traversal, as identified in CVE-2023-51449. This vulnerability allows unauthorized users to bypass the intended restrictions and access sensitive files, such as config.json, which contains API keys. The issue affects the latest version of chuanhuchatgpt prior to the fixed version released on 20240305.

CPENameOperatorVersion
chuanhuchatgpteq20230310
chuanhuchatgpteq20230830
chuanhuchatgpteq20240121
chuanhuchatgpteq20230628
chuanhuchatgpteq20230305
chuanhuchatgpteq20231223
chuanhuchatgpteq20230405
chuanhuchatgpteq20230314
chuanhuchatgpteq20231020
chuanhuchatgpteq20230601

Name	Operator	Version
chuanhuchatgpt	eq	20230310
chuanhuchatgpt	eq	20230830
chuanhuchatgpt	eq	20240121
chuanhuchatgpt	eq	20230628
chuanhuchatgpt	eq	20230305
chuanhuchatgpt	eq	20231223
chuanhuchatgpt	eq	20230405
chuanhuchatgpt	eq	20230314
chuanhuchatgpt	eq	20231020
chuanhuchatgpt	eq	20230601