PYSEC-2024-113

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/chuanhuchatgpt/PYSEC-2024-113.yaml
JSON Data
https://api.test.osv.dev/v1/vulns/PYSEC-2024-113
Aliases
Published
2024-10-29T13:15:00Z
Modified
2024-10-31T19:57:49.506552Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
[none]
Details

In the latest version (20240628) of gaizhenbiao/chuanhuchatgpt, an issue exists in the /file endpoint that allows authenticated users to access the chat history of other users. When a user logs in, a directory is created in the history folder with the user's name. By manipulating the /file endpoint, an authenticated user can enumerate and access files in other users' directories, leading to unauthorized access to private chat histories. This vulnerability can be exploited to read any user's private chat history.

References

Affected packages

PyPI / chuanhuchatgpt

Package

Affected ranges

Type
GIT
Repo
https://github.com/gaizhenbiao/chuanhuchatgpt
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.2.5