Platform
python
Component
gaizhenbiao/chuanhuchatgpt
Fixed in
20240918
CVE-2024-5982 represents a critical Path Traversal vulnerability discovered in gaizhenbiao/chuanhuchatgpt, a Python-based application. This flaw allows attackers to manipulate file paths, potentially leading to remote code execution (RCE) and sensitive data exposure. The vulnerability affects versions of the application prior to 20240918, and a patch has been released to address the issue.
The impact of CVE-2024-5982 is significant due to the potential for remote code execution. Attackers can leverage the unsanitized input handling in multiple areas of the application to upload arbitrary files, create directories, and load malicious templates. Specifically, the loadchathistory function allows for arbitrary file uploads, while gethistorynames permits directory creation. The load_template function can be exploited to leak the first column of CSV files, potentially exposing sensitive information. Successful exploitation could lead to complete system compromise, data breaches, and denial of service.
CVE-2024-5982 is currently not listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the vulnerability's severity and ease of exploitation suggest a medium probability of exploitation. The vulnerability was publicly disclosed on 2024-10-29.
Exploit Status
EPSS
8.69% (92% percentile)
CVSS Vector
The primary mitigation for CVE-2024-5982 is to immediately upgrade to version 20240918 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting file upload locations and types, and carefully validating all user-supplied input. Web application firewalls (WAFs) configured to detect and block path traversal attempts can provide an additional layer of defense. Monitor application logs for suspicious file access patterns and unusual directory creation activity.
Update to version 20240918 or later. This version corrects the path traversal vulnerability by properly sanitizing user inputs. The update mitigates the risk of remote code execution and sensitive information leakage.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-5982 is a critical vulnerability allowing attackers to manipulate file paths in gaizhenbiao/chuanhuchatgpt versions before 20240918, potentially leading to RCE and data leakage.
You are affected if you are using gaizhenbiao/chuanhuchatgpt versions prior to 20240918. Immediately upgrade to the patched version.
Upgrade to version 20240918 or later. Implement temporary workarounds like restricting file uploads if immediate upgrade is not possible.
While no widespread exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a potential for active exploitation.
Refer to the project's repository or official communication channels for the advisory related to CVE-2024-5982.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.