CVE-2024-3234
published 2024-06-06CVE-2024-3234: The gaizhenbiao/chuanhuchatgpt application is vulnerable to a path traversal attack due to its use of an outdated gradio component. The application is designed…
PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.76%
88.5th percentile
The gaizhenbiao/chuanhuchatgpt application is vulnerable to a path traversal attack due to its use of an outdated gradio component. The application is designed to restrict user access to resources within the `web_assets` folder. However, the outdated version of gradio it employs is susceptible to path traversal, as identified in CVE-2023-51449. This vulnerability allows unauthorized users to bypass the intended restrictions and access sensitive files, such as `config.json`, which contains API keys. The issue affects the latest version of chuanhuchatgpt prior to the fixed version released on 20240305.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gaizhenbiao | chuanhuchatgpt | < 20240305 | 20240305 |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for HTTP GET requests containing path traversal sequences targeting /file=web_assets/../ to reach config.json outside the intended web_assets directory. ↗
- →A successful exploit response will contain both '"openai_api_key":' and '"openai_api_type":' in the JSON body with HTTP 200 and Content-Type application/json.
- →The path traversal is rooted in the outdated gradio component's file-serving endpoint (/file=), as also identified in CVE-2023-51449; monitor for traversal sequences (../) in requests to this endpoint.
- ·The vulnerability affects chuanhuchatgpt versions prior to the fixed release on 20240305; instances updated on or after that date are not affected. ↗
- ·The path traversal is enabled by an outdated gradio dependency; the root cause is the gradio component's /file= endpoint, not chuanhuchatgpt's own code directly.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Chuanhu Chat - Directory Traversal
nuclei·CVSS 7.5
CVE-2024-3234 [HIGH] Chuanhu Chat - Directory Traversal
Chuanhu Chat - Directory Traversal
The gaizhenbiao/chuanhuchatgpt application is vulnerable to a path traversal attack due to its use of an outdated gradio component. The application is designed to restrict user access to resources within the `web_assets` folder. However, the outdated version of gradio it employs is susceptible to path traversal, as identified in CVE-2023-51449. This vulnerability allows unauthorized users to bypass the intended restrictions and access sensitive files, such as `config.json`, which contains API keys. The issue affects the latest version of chuanhuchatgpt prior to the fixed version released on 20240305.
Template:
id: CVE-2024-3234
info:
name: Chuanhu Chat - Directory Traversal
author: DhiyaneshDk
severity: critical
description: |
The gaizhenbiao/chuanhuc
arXiv
Microservice Vulnerability Analysis: A Literature Review with Empirical Insights
arxiv_fulltext·2024-07-31
Microservice Vulnerability Analysis: A Literature Review with Empirical Insights
Microservice Vulnerability Analysis: A Literature Review with Empirical Insights
Raveen Kanishka Jayalath*
University of Adelaide, Australia
[email protected]
Hussain Ahmad* *Authors contributed equally to this work. Corresponding author.
University of Adelaide, Australia
[email protected]
Diksha Goel
CSIRO's Data61, Australia
[email protected]
3cmMuhammad Shuja Syed
3cmSLB, USA
[email protected]
Faheem Ullah
University of Adelaide, Australia
[email protected]
plain
## Abstract
Microservice architectures are revolutionizing both small businesses and large corporations, igniting a new era of innovation with their exceptional advantages in maintainability, reusability, and scalability. However, these benefits come w
Greynoiseio
NoiseLetter October 2025
blogs_greynoiseio
NoiseLetter October 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://github.com/gaizhenbiao/chuanhuchatgpt/commit/6b8f7db347b390f6f8bd07ea2a4ef01a47382f00https://huntr.com/bounties/277e3ff0-5878-4809-a4b9-73cdbb70dc9fhttps://github.com/gaizhenbiao/chuanhuchatgpt/commit/6b8f7db347b390f6f8bd07ea2a4ef01a47382f00https://huntr.com/bounties/277e3ff0-5878-4809-a4b9-73cdbb70dc9f
2024-06-06
Published