Chuanhuchatgpt Vulnerable to Path Traversal Attack Due to Outdated Gradio Component
CVE-2024-3234

9.8CRITICAL

Key Information:

Vendor: Gaizhenbiao
Status: Gaizhenbiao/chuanhuchatgpt
Vendor: CVE Published:; 6 June 2024

🔔 Create Gaizhenbiao Vulnerability Alert

What is CVE-2024-3234?

The ChuanhuchatGPT application, developed by Gaizhenbiao, is susceptible to a path traversal vulnerability stemming from its reliance on an outdated Gradio component. This flaw undermines the application's designed restrictions on user access to the 'web_assets' directory, allowing unauthorized entities to exploit the vulnerability. Adversaries can potentially gain access to sensitive configuration files, such as 'config.json', which contain critical API keys and other sensitive data. This issue is particularly pertinent for versions of ChuanhuchatGPT released before the patch on March 5, 2024, posing significant risks if unaddressed.

Affected Version(s)

gaizhenbiao/chuanhuchatgpt < unspecified

References

https://huntr.com/bounties/277e3ff0-5878-4809-a4b9-73cdbb...

https://github.com/gaizhenbiao/chuanhuchatgpt/commit/6b8f...

EPSS Score

58% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 6, 2024
Vulnerability Reserved
Apr 2, 2024