Platform
python
Component
gaizhenbiao/chuanhuchatgpt
Opgelost in
20240918
CVE-2024-5982 represents a critical Path Traversal vulnerability discovered in gaizhenbiao/chuanhuchatgpt, a Python-based application. This flaw allows attackers to manipulate file paths, potentially leading to remote code execution (RCE) and sensitive data exposure. The vulnerability affects versions of the application prior to 20240918, and a patch has been released to address the issue.
The impact of CVE-2024-5982 is significant due to the potential for remote code execution. Attackers can leverage the unsanitized input handling in multiple areas of the application to upload arbitrary files, create directories, and load malicious templates. Specifically, the loadchathistory function allows for arbitrary file uploads, while gethistorynames permits directory creation. The load_template function can be exploited to leak the first column of CSV files, potentially exposing sensitive information. Successful exploitation could lead to complete system compromise, data breaches, and denial of service.
CVE-2024-5982 is currently not listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the vulnerability's severity and ease of exploitation suggest a medium probability of exploitation. The vulnerability was publicly disclosed on 2024-10-29.
Organizations deploying gaizhenbiao/chuanhuchatgpt, particularly those using it for handling user-uploaded content or sensitive data, are at significant risk. Shared hosting environments where multiple users share the same server and file system are especially vulnerable, as an attacker could potentially compromise other users' data.
• python / server:
import os
import hashlib
def check_file_path(filepath):
if '..' in filepath or '/var/www/html' in filepath:
return True # Potential path traversal
return False
# Example usage (replace with actual file path from application)
file_path = '/path/to/uploaded/file.txt'
if check_file_path(file_path):
print(f"Potential path traversal detected: {file_path}")• linux / server:
# Monitor for unusual file creation in sensitive directories
journalctl -f | grep 'create file' | grep '/var/www/html'disclosure
patch
Exploit Status
EPSS
8.69% (92% percentiel)
CVSS-vector
The primary mitigation for CVE-2024-5982 is to immediately upgrade to version 20240918 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting file upload locations and types, and carefully validating all user-supplied input. Web application firewalls (WAFs) configured to detect and block path traversal attempts can provide an additional layer of defense. Monitor application logs for suspicious file access patterns and unusual directory creation activity.
Werk bij naar versie 20240918 of later. Deze versie corrigeert de path traversal kwetsbaarheid door gebruikersinputs correct te sanitiseren. De update verzacht het risico op remote code execution en lekken van gevoelige informatie.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-5982 is a critical vulnerability allowing attackers to manipulate file paths in gaizhenbiao/chuanhuchatgpt versions before 20240918, potentially leading to RCE and data leakage.
You are affected if you are using gaizhenbiao/chuanhuchatgpt versions prior to 20240918. Immediately upgrade to the patched version.
Upgrade to version 20240918 or later. Implement temporary workarounds like restricting file uploads if immediate upgrade is not possible.
While no widespread exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a potential for active exploitation.
Refer to the project's repository or official communication channels for the advisory related to CVE-2024-5982.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je requirements.txt-bestand en we vertellen je direct of je getroffen bent.