CVE-2023-34094 : ChuanhuChatGPT is a graphical user interface for ChatGPT and many large language

ChuanhuChatGPT is a graphical user interface for ChatGPT and many large language models. A vulnerability in versions 20230526 and prior allows unauthorized access to the config.json file of the privately deployed ChuanghuChatGPT project, when authentication is not configured. The attacker can exploit this vulnerability to steal the API keys in the configuration file. The vulnerability has been fixed in commit bfac445. As a workaround, setting up access authentication can help mitigate the vulnerability.

Published 2023-06-02 16:15:10

Updated 2023-06-16 14:33:56

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: BypassInformation leak

Products affected by CVE-2023-34094

Chuanhuchatgpt Project » Chuanhuchatgpt » For Chatgpt
Versions up to, including, (<=) 2023-05-26
cpe:2.3:a:chuanhuchatgpt_project:chuanhuchatgpt:*:*:*:*:*:chatgpt:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-34094

EPSS FAQ

0.20%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 43 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-34094

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	3.9	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	3.9	3.6	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2023-34094

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: security-advisories@github.com (Secondary)
CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2023-34094

https://github.com/GaiZhenbiao/ChuanhuChatGPT/commit/bfac445e799c317b0f5e738ab394032a18de62eb

增加 blocked path · GaiZhenbiao/ChuanhuChatGPT@bfac445 · GitHub
Patch
https://github.com/GaiZhenbiao/ChuanhuChatGPT/security/advisories/GHSA-j34w-9xr4-m9p8

Unauthorized configuration file access · Advisory · GaiZhenbiao/ChuanhuChatGPT · GitHub
Vendor Advisory

Jump to

Vulnerability Details : CVE-2023-34094

Products affected by CVE-2023-34094

Exploit prediction scoring system (EPSS) score for CVE-2023-34094

CVSS scores for CVE-2023-34094

CWE ids for CVE-2023-34094

References for CVE-2023-34094