CVE-2023-34094

ChuanhuChatGPT is a graphical user interface for ChatGPT and many large language models. A vulnerability in versions 20230526 and prior allows unauthorized access to the config.json file of the privately deployed ChuanghuChatGPT project, when authentication is not configured. The attacker can exploit this vulnerability to steal the API keys in the configuration file. The vulnerability has been fixed in commit bfac445. As a workaround, setting up access authentication can help mitigate the vulnerability.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/GaiZhenbiao/ChuanhuChatGPT/commit/bfac445e799c317b0f5e738ab394032a18de62eb	Patch
https://github.com/GaiZhenbiao/ChuanhuChatGPT/security/advisories/GHSA-j34w-9xr4-m9p8	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:chuanhuchatgpt_project:chuanhuchatgpt:*:*:*:*:*:chatgpt:*:*

History

No history.

Information

Published : 2023-06-02 16:15

Updated : 2023-06-16 14:33

NVD link : CVE-2023-34094

Mitre link : CVE-2023-34094

CVE.ORG link : CVE-2023-34094

JSON object : View

Products Affected

chuanhuchatgpt_project

chuanhuchatgpt

CWE

CWE-306

Missing Authentication for Critical Function

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2023-34094", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-06-02T16:15:09.850", "references": [{"url": "https://github.com/GaiZhenbiao/ChuanhuChatGPT/commit/bfac445e799c317b0f5e738ab394032a18de62eb", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/GaiZhenbiao/ChuanhuChatGPT/security/advisories/GHSA-j34w-9xr4-m9p8", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-306"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "ChuanhuChatGPT is a graphical user interface for ChatGPT and many large language models. A vulnerability in versions 20230526 and prior allows unauthorized access to the config.json file of the privately deployed ChuanghuChatGPT project, when authentication is not configured. The attacker can exploit this vulnerability to steal the API keys in the configuration file. The vulnerability has been fixed in commit bfac445. As a workaround, setting up access authentication can help mitigate the vulnerability."}], "lastModified": "2023-06-16T14:33:55.800", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:chuanhuchatgpt_project:chuanhuchatgpt:*:*:*:*:*:chatgpt:*:*", "vulnerable": true, "matchCriteriaId": "478430FF-6104-45D4-87C4-A22E4CE73B45", "versionEndIncluding": "2023-05-26"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}