CVE-2023-34094
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
ChuanhuChatGPT is a graphical user interface for ChatGPT and many large language models. A vulnerability in versions 20230526 and prior allows unauthorized access to the config.json file of the privately deployed ChuanghuChatGPT project, when authentication is not configured. The attacker can exploit this vulnerability to steal the API keys in the configuration file. The vulnerability has been fixed in commit bfac445. As a workaround, setting up access authentication can help mitigate the vulnerability.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| GaiZhenbiao | ChuanhuChatGPT | <= 20230526 | affected |
Weaknesses
- CWE-200: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/GaiZhenbiao/ChuanhuChatGPT/security/advisories/GHSA-j34w-9xr4-m9p8
- https://github.com/GaiZhenbiao/ChuanhuChatGPT/commit/bfac445e799c317b0f5e738ab394032a18de62eb
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://github.com/GaiZhenbiao/ChuanhuChatGPT/security/advisories/GHSA-j34w-9xr4-m9p8
- https://github.com/GaiZhenbiao/ChuanhuChatGPT/commit/bfac445e799c317b0f5e738ab394032a18de62eb
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.