CVE-2024-8143 – chuanhuchatgpt

Package

Manager: pip
Name: chuanhuchatgpt
Vulnerable Version: =3.2.5 || >=0 <ccc7479ace5c9e1a1d9f4daf2e794ffd3865fc2b

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00137 pctl0.3435

Details

In the latest version (20240628) of gaizhenbiao/chuanhuchatgpt, an issue exists in the /file endpoint that allows authenticated users to access the chat history of other users. When a user logs in, a directory is created in the history folder with the user's name. By manipulating the /file endpoint, an authenticated user can enumerate and access files in other users' directories, leading to unauthorized access to private chat histories. This vulnerability can be exploited to read any user's private chat history.

Metadata

Created: 2024-10-29T13:15:00Z
Modified: 2024-10-31T19:44:10.976096Z
Source: https://osv-vulnerabilities
CWE IDs: N/A
Alternative ID: N/A
Finding: F123
Auto approve: 1