CRITICAL🇵🇱 Wersja polska

CVE-2024-5822

CVSS 9.8v3.1pub. 2024-06-27upd. 2025-07-15

A Server-Side Request Forgery (SSRF) vulnerability exists in the upload processing interface of gaizhenbiao/ChuanhuChatGPT versions <= ChuanhuChatGPT-20240410-git.zip. This vulnerability allows attackers to send crafted requests from the vulnerable server to internal or external resources, potentially bypassing security controls and accessing sensitive data.

🤖 AI Analysis
How it works

The vulnerability results from insufficient input validation in the upload interface, which is classified as CWE-918. An attacker can submit a crafted request containing a URL pointing to internal infrastructure resources (e.g., cloud metadata, internal services, local administrative interfaces). The server processes such a request on its own side, acting as an intermediary and potentially exposing the response to the attacker. The exploit does not require authentication, user interaction, or special privileges.

Impact

An attacker can bypass access control mechanisms and gain access to sensitive data stored in internal network resources, including potentially confidential configurations, credentials, or services not directly accessible from the Internet. Depending on the environment, this can lead to complete compromise of system confidentiality, integrity, and availability (CVSS C:H/I:H/A:H).

Mitigation & patch

Apply patches available from the vendor according to the references. It is recommended to update to a version newer than ChuanhuChatGPT-20240410-git.zip. Additionally, it is recommended to implement restrictive filtering rules for outgoing HTTP requests on the server side (allowlist of permitted domains/IP addresses) and network isolation of the application instance.

Who is affected

Gaizhenbiao ChuanhuChatGPT in versions <= ChuanhuChatGPT-20240410-git.zip

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Gaizhenbiao Chuanhuchatgpt

    APP
    Gaizhenbiao
    20240410
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SSRF
CWE
References

Related vulnerabilities

CVE-2024-5823CRITICAL9.1PL ✓ten sam produkt

Nadpisanie plików konfiguracyjnych w ChuanhuChatGPT (file overwrite)

CVE-2024-5982CRITICAL9.8PL ✓ten sam produkt

Path Traversal i RCE w ChuanhuChatGPT — niezabezpieczone dane wejściowe

CVE-2024-6037CRITICAL9.1PL ✓ten sam produkt

Tworzenie arbitralnych folderów na serwerze w ChuanhuChatGPT

CVE-2024-6036CRITICAL9.1PL ✓ten sam produkt

Nieautoryzowany restart serwera w ChuanhuChatGPT poprzez endpoint /queue/join

CVE-2024-3234CRITICAL9.8PL ✓ten sam produkt

Path traversal w ChuanhuChatGPT — dostęp do poufnych plików