Plattform
python
Komponente
gaizhenbiao/chuanhuchatgpt
Behoben in
20240918
CVE-2024-5982 represents a critical Path Traversal vulnerability discovered in gaizhenbiao/chuanhuchatgpt, a Python-based application. This flaw allows attackers to manipulate file paths, potentially leading to remote code execution (RCE) and sensitive data exposure. The vulnerability affects versions of the application prior to 20240918, and a patch has been released to address the issue.
The impact of CVE-2024-5982 is significant due to the potential for remote code execution. Attackers can leverage the unsanitized input handling in multiple areas of the application to upload arbitrary files, create directories, and load malicious templates. Specifically, the loadchathistory function allows for arbitrary file uploads, while gethistorynames permits directory creation. The load_template function can be exploited to leak the first column of CSV files, potentially exposing sensitive information. Successful exploitation could lead to complete system compromise, data breaches, and denial of service.
CVE-2024-5982 is currently not listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the vulnerability's severity and ease of exploitation suggest a medium probability of exploitation. The vulnerability was publicly disclosed on 2024-10-29.
Organizations deploying gaizhenbiao/chuanhuchatgpt, particularly those using it for handling user-uploaded content or sensitive data, are at significant risk. Shared hosting environments where multiple users share the same server and file system are especially vulnerable, as an attacker could potentially compromise other users' data.
• python / server:
import os
import hashlib
def check_file_path(filepath):
if '..' in filepath or '/var/www/html' in filepath:
return True # Potential path traversal
return False
# Example usage (replace with actual file path from application)
file_path = '/path/to/uploaded/file.txt'
if check_file_path(file_path):
print(f"Potential path traversal detected: {file_path}")• linux / server:
# Monitor for unusual file creation in sensitive directories
journalctl -f | grep 'create file' | grep '/var/www/html'disclosure
patch
Exploit-Status
EPSS
8.69% (92% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2024-5982 is to immediately upgrade to version 20240918 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting file upload locations and types, and carefully validating all user-supplied input. Web application firewalls (WAFs) configured to detect and block path traversal attempts can provide an additional layer of defense. Monitor application logs for suspicious file access patterns and unusual directory creation activity.
Aktualisieren Sie auf Version 20240918 oder höher. Diese Version behebt die Path-Traversal-Schwachstelle, indem sie Benutzereingaben korrekt sanitisiert. Das Update mildert das Risiko von Remote Code Execution und Informationsverlust.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-5982 is a critical vulnerability allowing attackers to manipulate file paths in gaizhenbiao/chuanhuchatgpt versions before 20240918, potentially leading to RCE and data leakage.
You are affected if you are using gaizhenbiao/chuanhuchatgpt versions prior to 20240918. Immediately upgrade to the patched version.
Upgrade to version 20240918 or later. Implement temporary workarounds like restricting file uploads if immediate upgrade is not possible.
While no widespread exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a potential for active exploitation.
Refer to the project's repository or official communication channels for the advisory related to CVE-2024-5982.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.