Unauthorized Access to Sensitive Information in Chuanhuchatgpt
CVE-2024-2217

7.5HIGH

Key Information:

Vendor: Gaizhenbiao
Status: Gaizhenbiao/chuanhuchatgpt
Vendor: CVE Published:; 10 April 2024

🔔 Create Gaizhenbiao Vulnerability Alert

What is CVE-2024-2217?

ChuanhuChatGPT, developed by Gaizhenbiao, is susceptible to an improper access control vulnerability that compromises the integrity of the application by allowing unauthorized users to access the 'config.json' file. This vulnerability is present across both authenticated and unauthenticated versions of the application, enabling adversaries to retrieve sensitive data, including critical API keys such as 'openai_api_key', 'google_palm_api_key', and 'xmchat_api_key', along with configuration details and user credentials. The root cause of this issue lies in the inadequate handling of HTTP requests directed at the 'config.json' file, which fails to enforce proper access restrictions based on user authentication.

Affected Version(s)

gaizhenbiao/chuanhuchatgpt < 20240310

References

https://huntr.com/bounties/e4df74bf-b2ee-490f-a9c9-e5c801...

https://github.com/gaizhenbiao/chuanhuchatgpt/commit/c5ae...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 10, 2024
Vulnerability Reserved
Mar 6, 2024