AVID-2026-R1472

Description

Path Traversal in gaizhenbiao/chuanhuchatgpt (CVE-2024-3234)

Details

The gaizhenbiao/chuanhuchatgpt application is vulnerable to a path traversal attack due to its use of an outdated gradio component. The application is designed to restrict user access to resources within the web_assets folder. However, the outdated version of gradio it employs is susceptible to path traversal, as identified in CVE-2023-51449. This vulnerability allows unauthorized users to bypass the intended restrictions and access sensitive files, such as config.json, which contains API keys. The issue affects the latest version of chuanhuchatgpt prior to the fixed version released on 20240305.

Reason for inclusion in AVID: The CVE-2024-3234 report describes a path traversal vulnerability in the gaizhenbiao/chuanhuchatgpt application caused by an outdated Gradio component. This is a software supply-chain risk since it arises from a vulnerable dependency used in an AI-related application (an AI chat/serving stack). It can lead to unauthorized access to sensitive files (e.g., config.json with API keys), representing a security/safety vulnerability in AI software pipelines. The report provides explicit details, CVSS metrics, and references, supporting its classification as a vulnerability to curate.

References

• NVD entry
• https://huntr.com/bounties/277e3ff0-5878-4809-a4b9-73cdbb70dc9f
• https://github.com/gaizhenbiao/chuanhuchatgpt/commit/6b8f7db347b390f6f8bd07ea2a4ef01a47382f00

Affected or Relevant Artifacts

• Developer: OpenAI
• Deployer: OpenAI
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2024-06-06
• Version: 0.3.3
• AVID Entry