Plateforme
python
Composant
chuanhuchatgpt
Corrigé dans
20240918
CVE-2024-6090 describes a Path Traversal vulnerability found in gaizhenbiao/chuanhuchatgpt versions prior to 20240918. This flaw allows unauthorized users to delete sensitive data, including chat histories and arbitrary .json files, potentially leading to a denial of service and data loss. The vulnerability was publicly disclosed on June 27, 2024, and a patch is available in version 20240918.
The primary impact of CVE-2024-6090 is the ability for an attacker to delete critical data within the chuanhuchatgpt system. Specifically, an attacker can delete other users' chat histories, effectively disrupting their interactions and potentially exposing sensitive information contained within those chats. More critically, the vulnerability allows deletion of any files ending in .json on the target system. This broadens the attack surface significantly, as .json files are commonly used for configuration, data storage, and other essential functions. Deleting these files can lead to a complete denial of service, preventing users from authenticating and accessing the application. The potential for widespread disruption makes this vulnerability a significant concern.
CVE-2024-6090 was publicly disclosed on June 27, 2024. There is currently no indication of active exploitation campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog as of this writing. Public proof-of-concept exploits are not widely available, but the ease of exploitation given the path traversal nature suggests that they may emerge. Monitor security advisories and threat intelligence feeds for updates.
Organizations deploying gaizhenbiao/chuanhuchatgpt, particularly those using it for sensitive communications or data storage, are at risk. Shared hosting environments where multiple users share the same server instance are especially vulnerable, as an attacker could potentially compromise the entire environment by exploiting this vulnerability.
• python / server:
find /path/to/chuanhuchatgpt -name '*.json' -type f -mmin -60 # Check for recently modified .json files• generic web:
curl -I 'http://your-chuanhuchatgpt-server/../../../../etc/passwd' # Attempt path traversaldisclosure
Statut de l'Exploit
EPSS
0.21% (percentile 43%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2024-6090 is to immediately upgrade to version 20240918 or later. If an immediate upgrade is not feasible due to compatibility issues or system downtime constraints, consider implementing stricter file access controls to limit write permissions within the application's data directory. Implement a Web Application Firewall (WAF) with rules to block requests containing path traversal attempts (e.g., ../ sequences). Regularly monitor system logs for suspicious file deletion activity, particularly targeting .json files. Consider implementing a rollback strategy to a known good state in case of unexpected issues after the upgrade.
Actualice a la versión 20240918 o posterior. Esta versión contiene una corrección para la vulnerabilidad de path traversal que permite la eliminación no autorizada de archivos. La actualización evitará que usuarios no autorizados eliminen el historial de chat de otros usuarios y archivos `.json`.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-6090 is a Path Traversal vulnerability in gaizhenbiao/chuanhuchatgpt allowing attackers to delete user data and files, potentially causing denial of service.
You are affected if you are using chuanhuchatgpt versions equal to or less than 20240918.
Upgrade to version 20240918 or later. Implement file access controls and WAF rules as temporary mitigations.
There is currently no confirmed active exploitation, but the vulnerability's nature suggests potential for exploitation.
Refer to the gaizhenbiao/chuanhuchatgpt repository and related security announcements for the official advisory.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier requirements.txt et nous te dirons instantanément si tu es affecté.