CVE-2024-7962
HIGH EPSS 51.4%
Published Oct 29, 20241y ago · Modified Jun 17, 20261w ago
7.5 CVSS 3.1
Published Oct 29, 2024 1y ago
Last Modified Jun 17, 2026 1w ago
Description
An arbitrary file read vulnerability exists in gaizhenbiao/chuanhuchatgpt version 20240628 due to insufficient validation when loading prompt template files. An attacker can read any file that matches specific criteria using an absolute path. The file must not have a .json extension and, except for the first line, every other line must contain commas. This vulnerability allows reading parts of format-compliant files, including code and log files, which may contain highly sensitive information such as account credentials.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability None
Threat Intelligence
EPSS Exploit Probability
51.4% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 2
CWE-22 Path Traversal Resource Mgmt
CWE-29
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| gaizhenbiao | chuanhuchatgpt | 20240628 | any |
References 2
- github.com https://github.com/gaizhenbiao/chuanhuchatgpt/commit/2836fd1db3efcd5ede63c0e7fbbdf677730dbb51
- huntr.com https://huntr.com/bounties/83f0a8e1-490c-49e7-b334-02125ee0f1b1
Remediation
- github.com https://github.com/gaizhenbiao/chuanhuchatgpt/commit/2836fd1db3efcd5ede63c0e7fbbdf677730dbb51