Plattform
python
Komponente
chuanhuchatgpt
Behoben in
20240918
CVE-2024-6090 describes a path traversal vulnerability discovered in gaizhenbiao's chuanhuchatgpt, a Python-based application. This flaw allows unauthorized users to delete sensitive data, including chat histories and potentially other files ending in .json, leading to a denial of service. The vulnerability impacts versions of chuanhuchatgpt prior to 20240918. A patch has been released to address this issue.
The primary impact of CVE-2024-6090 is the ability for an attacker to delete arbitrary files on the target system, specifically those ending in the .json extension. This can be exploited to disrupt the application's functionality and prevent legitimate users from authenticating. The deletion of chat histories represents a significant data loss risk for affected users. While the vulnerability description doesn't explicitly mention lateral movement, the ability to delete files could potentially be leveraged to compromise other components or data stores if they share the same file system or access permissions. The blast radius extends to all users of the affected version of chuanhuchatgpt, particularly those who rely on the application for storing and managing chat data.
CVE-2024-6090 was publicly disclosed on June 27, 2024. There is currently no indication of active exploitation campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog as of this writing. Public proof-of-concept code is not widely available, but the vulnerability's nature makes it relatively straightforward to exploit.
Organizations deploying gaizhenbiao/chuanhuchatgpt, particularly those using it for sensitive communications or data storage, are at risk. Shared hosting environments where multiple users share the same server instance are especially vulnerable, as an attacker could potentially compromise the entire environment by exploiting this vulnerability.
• python / server:
find /path/to/chuanhuchatgpt -name '*.json' -type f -mmin -60 # Check for recently modified .json files• generic web:
curl -I 'http://your-chuanhuchatgpt-server/../../../../etc/passwd' # Attempt path traversaldisclosure
Exploit-Status
EPSS
0.21% (43% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-6090 is to immediately upgrade to version 20240918 or later. If an immediate upgrade is not feasible, consider implementing file system access controls to restrict write permissions for the application user. While a WAF or proxy cannot directly prevent path traversal, it can be configured to monitor for suspicious file access patterns and block requests containing potentially malicious path components. Regularly review file system permissions and audit logs for any unauthorized file modifications.
Actualice a la versión 20240918 o posterior. Esta versión contiene una corrección para la vulnerabilidad de path traversal que permite la eliminación no autorizada de archivos. La actualización evitará que usuarios no autorizados eliminen el historial de chat de otros usuarios y archivos `.json`.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-6090 is a Path Traversal vulnerability in gaizhenbiao/chuanhuchatgpt allowing attackers to delete user data and files, potentially causing denial of service.
You are affected if you are using chuanhuchatgpt versions equal to or less than 20240918.
Upgrade to version 20240918 or later. Implement file access controls and WAF rules as temporary mitigations.
There is currently no confirmed active exploitation, but the vulnerability's nature suggests potential for exploitation.
Refer to the gaizhenbiao/chuanhuchatgpt repository and related security announcements for the official advisory.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.