Plateforme
python
Composant
gaizhenbiao/chuanhuchatgpt
Corrigé dans
20240305
CVE-2024-3234 represents a critical path traversal vulnerability affecting the chuanhuchatgpt application. This flaw allows unauthorized access to sensitive files, potentially exposing API keys and other configuration data. The vulnerability impacts versions of chuanhuchatgpt released prior to 20240305, and a fix was released on that date.
The primary impact of CVE-2024-3234 is the unauthorized disclosure of sensitive information. Due to the path traversal vulnerability, an attacker can bypass intended access restrictions within the web_assets directory. This enables them to read files outside of this directory, including config.json. This file likely contains API keys, which could then be used to compromise associated services or data. The blast radius extends to any systems or data accessible through the API keys stored in the config.json file. This vulnerability leverages a known issue (CVE-2023-51449) in an outdated gradio component, highlighting the importance of keeping dependencies up to date.
CVE-2024-3234 is based on CVE-2023-51449, a known path traversal vulnerability in gradio. Public proof-of-concept exploits for CVE-2023-51449 exist, increasing the likelihood of exploitation. The vulnerability was published on 2024-06-06. There is no indication of active exploitation campaigns at this time, but the ease of exploitation warrants immediate attention.
Organizations deploying chuanhuchatgpt, particularly those using it in production environments or those that store sensitive API keys within the application's configuration files, are at significant risk. Shared hosting environments where multiple users share the same server instance are also particularly vulnerable, as a compromise of one user's instance could potentially expose data from other users.
• python: Check for the presence of outdated gradio components.
import importlib
import gradio
try:
gradio_version = gradio.__version__
print(f"gradio version: {gradio_version}")
except ImportError:
print("gradio is not installed.")• generic web: Monitor access logs for requests containing path traversal attempts (e.g., ../).
• generic web: Check for the existence of config.json files in unexpected locations.
• generic web: Monitor for unusual file access patterns within the web_assets directory.
disclosure
Statut de l'Exploit
EPSS
85.99% (percentile 99%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2024-3234 is to immediately upgrade chuanhuchatgpt to version 20240305 or later. This version incorporates the necessary fix to address the path traversal vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal attempts (e.g., ../ sequences). Carefully review and restrict file access permissions within the webassets directory to further limit the potential impact of this vulnerability. After upgrading, confirm the fix by attempting to access files outside the webassets directory and verifying that access is denied.
Mettez à jour l'application chuanhuchatgpt à la version 20240305 ou ultérieure. Cette version inclut une mise à jour du composant gradio qui corrige la vulnérabilité de traversée de chemin. Cela empêchera l'accès non autorisé à des fichiers sensibles tels que config.json.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-3234 is a critical path traversal vulnerability in chuanhuchatgpt versions before 20240305, allowing attackers to access sensitive files like config.json.
Yes, if you are using chuanhuchatgpt versions prior to 20240305, you are vulnerable to this path traversal attack.
Upgrade to version 20240305 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation.
While there's no confirmed active exploitation, the vulnerability is easily exploitable and based on a known issue, so immediate action is recommended.
Refer to the project's repository or release notes for the official advisory regarding CVE-2024-3234.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier requirements.txt et nous te dirons instantanément si tu es affecté.