PYSEC-2024-113

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/chuanhuchatgpt/PYSEC-2024-113.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2024-113

Aliases

CVE-2024-8143

Published

2024-10-29T13:15:00Z

Modified

2024-10-31T19:44:10.976096Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

In the latest version (20240628) of gaizhenbiao/chuanhuchatgpt, an issue exists in the /file endpoint that allows authenticated users to access the chat history of other users. When a user logs in, a directory is created in the history folder with the user's name. By manipulating the /file endpoint, an authenticated user can enumerate and access files in other users' directories, leading to unauthorized access to private chat histories. This vulnerability can be exploited to read any user's private chat history.

References

Affected packages

PyPI / chuanhuchatgpt

Package

Name: chuanhuchatgpt; View open source insights on deps.dev
Purl: pkg:pypi/chuanhuchatgpt

Affected ranges

Type: GIT
Repo: https://github.com/gaizhenbiao/chuanhuchatgpt
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

ccc7479ace5c9e1a1d9f4daf2e794ffd3865fc2b

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.2.5