CVE-2024-3234

CVSS V2 None CVSS V3 None

Description

The gaizhenbiao/chuanhuchatgpt application is vulnerable to a path traversal attack due to its use of an outdated gradio component. The application is designed to restrict user access to resources within the `web_assets` folder. However, the outdated version of gradio it employs is susceptible to path traversal, as identified in CVE-2023-51449. This vulnerability allows unauthorized users to bypass the intended restrictions and access sensitive files, such as `config.json`, which contains API keys. The issue affects the latest version of chuanhuchatgpt prior to the fixed version released on 20240305.

Overview

CVE ID
CVE-2024-3234

Assigner
@huntr_ai

Vulnerability Status
PUBLISHED

Published Version
2024-06-06T18:20:45.616Z

Last Modified Date
2024-06-07T12:46:31.783Z

Weakness Enumerations

CWE	URL
CWE-22	http://cwe.mitre.org/data/definitions/22.html

References

Reference URL	Reference Tags
https://huntr.com/bounties/277e3ff0-5878-4809-a4b9-73cdbb70dc9f
https://github.com/gaizhenbiao/chuanhuchatgpt/commit/6b8f7db347b390f6f8bd07ea2a4ef01a47382f00

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-3234
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3234

History

Created	Old Value	New Value	Data Type	Notes
2024-06-23 23:15:04				Added to TrackCVE