CVE-2024-3404 (GCVE-0-2024-3404)

Vulnerability from cvelistv5 – Published: 2024-06-06 18:45 – Updated: 2025-10-15 12:49
VLAI?
Summary
In gaizhenbiao/chuanhuchatgpt, specifically the version tagged as 20240121, there exists a vulnerability due to improper access control mechanisms. This flaw allows an authenticated attacker to bypass intended access restrictions and read the `history` files of other users, potentially leading to unauthorized access to sensitive information. The vulnerability is present in the application's handling of access control for the `history` path, where no adequate mechanism is in place to prevent an authenticated user from accessing another user's chat history files. This issue poses a significant risk as it could allow attackers to obtain sensitive information from the chat history of other users.
Severity ?
6.5 (Medium)
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE
  • CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
Vendor Product Version
gaizhenbiao gaizhenbiao/chuanhuchatgpt Affected: unspecified , < 20240919 (custom)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:gaizhenbiao:chuanhuchatgpt:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "chuanhuchatgpt",
            "vendor": "gaizhenbiao",
            "versions": [
              {
                "status": "affected",
                "version": "20240121"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-3404",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-06T19:40:35.850902Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-06T19:42:28.486Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T20:12:06.467Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://huntr.com/bounties/ed32fc32-cb8f-4fbd-8209-cc835d279699"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "gaizhenbiao/chuanhuchatgpt",
          "vendor": "gaizhenbiao",
          "versions": [
            {
              "lessThan": "20240919",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In gaizhenbiao/chuanhuchatgpt, specifically the version tagged as 20240121, there exists a vulnerability due to improper access control mechanisms. This flaw allows an authenticated attacker to bypass intended access restrictions and read the `history` files of other users, potentially leading to unauthorized access to sensitive information. The vulnerability is present in the application\u0027s handling of access control for the `history` path, where no adequate mechanism is in place to prevent an authenticated user from accessing another user\u0027s chat history files. This issue poses a significant risk as it could allow attackers to obtain sensitive information from the chat history of other users."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863 Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-15T12:49:37.176Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntr_ai"
      },
      "references": [
        {
          "url": "https://huntr.com/bounties/ed32fc32-cb8f-4fbd-8209-cc835d279699"
        },
        {
          "url": "https://github.com/gaizhenbiao/chuanhuchatgpt/commit/ccc7479ace5c9e1a1d9f4daf2e794ffd3865fc2b"
        }
      ],
      "source": {
        "advisory": "ed32fc32-cb8f-4fbd-8209-cc835d279699",
        "discovery": "EXTERNAL"
      },
      "title": "Improper Access Control in gaizhenbiao/chuanhuchatgpt"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntr_ai",
    "cveId": "CVE-2024-3404",
    "datePublished": "2024-06-06T18:45:12.500Z",
    "dateReserved": "2024-04-05T18:12:08.080Z",
    "dateUpdated": "2025-10-15T12:49:37.176Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:gaizhenbiao:chuanhuchatgpt:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"20240919-4\", \"matchCriteriaId\": \"57443B25-BE0F-460B-A3B8-7678188C00CC\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In gaizhenbiao/chuanhuchatgpt, specifically the version tagged as 20240121, there exists a vulnerability due to improper access control mechanisms. This flaw allows an authenticated attacker to bypass intended access restrictions and read the `history` files of other users, potentially leading to unauthorized access to sensitive information. The vulnerability is present in the application\u0027s handling of access control for the `history` path, where no adequate mechanism is in place to prevent an authenticated user from accessing another user\u0027s chat history files. This issue poses a significant risk as it could allow attackers to obtain sensitive information from the chat history of other users.\"}, {\"lang\": \"es\", \"value\": \"En gaizhenbiao/chuanhuchatgpt, espec\\u00edficamente en la versi\\u00f3n etiquetada como 20240121, existe una vulnerabilidad debido a mecanismos de control de acceso inadecuados. Esta falla permite a un atacante autenticado eludir las restricciones de acceso previstas y leer los archivos \\\"historiales\\\" de otros usuarios, lo que podr\\u00eda conducir a un acceso no autorizado a informaci\\u00f3n confidencial. La vulnerabilidad est\\u00e1 presente en el manejo del control de acceso de la aplicaci\\u00f3n para la ruta del \\\"historial\\\", donde no existe ning\\u00fan mecanismo adecuado para evitar que un usuario autenticado acceda a los archivos del historial de chat de otro usuario. Este problema plantea un riesgo importante, ya que podr\\u00eda permitir a los atacantes obtener informaci\\u00f3n confidencial del historial de chat de otros usuarios.\"}]",
      "id": "CVE-2024-3404",
      "lastModified": "2024-11-21T09:29:31.663",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 3.6}], \"cvssMetricV30\": [{\"source\": \"security@huntr.dev\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 3.6}]}",
      "published": "2024-06-06T19:16:01.673",
      "references": "[{\"url\": \"https://huntr.com/bounties/ed32fc32-cb8f-4fbd-8209-cc835d279699\", \"source\": \"security@huntr.dev\", \"tags\": [\"Exploit\", \"Issue Tracking\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://huntr.com/bounties/ed32fc32-cb8f-4fbd-8209-cc835d279699\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Issue Tracking\", \"Patch\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "security@huntr.dev",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security@huntr.dev\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-284\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-3404\",\"sourceIdentifier\":\"security@huntr.dev\",\"published\":\"2024-06-06T19:16:01.673\",\"lastModified\":\"2025-10-15T13:15:43.100\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In gaizhenbiao/chuanhuchatgpt, specifically the version tagged as 20240121, there exists a vulnerability due to improper access control mechanisms. This flaw allows an authenticated attacker to bypass intended access restrictions and read the `history` files of other users, potentially leading to unauthorized access to sensitive information. The vulnerability is present in the application\u0027s handling of access control for the `history` path, where no adequate mechanism is in place to prevent an authenticated user from accessing another user\u0027s chat history files. This issue poses a significant risk as it could allow attackers to obtain sensitive information from the chat history of other users.\"},{\"lang\":\"es\",\"value\":\"En gaizhenbiao/chuanhuchatgpt, espec\u00edficamente en la versi\u00f3n etiquetada como 20240121, existe una vulnerabilidad debido a mecanismos de control de acceso inadecuados. Esta falla permite a un atacante autenticado eludir las restricciones de acceso previstas y leer los archivos \\\"historiales\\\" de otros usuarios, lo que podr\u00eda conducir a un acceso no autorizado a informaci\u00f3n confidencial. La vulnerabilidad est\u00e1 presente en el manejo del control de acceso de la aplicaci\u00f3n para la ruta del \\\"historial\\\", donde no existe ning\u00fan mecanismo adecuado para evitar que un usuario autenticado acceda a los archivos del historial de chat de otro usuario. Este problema plantea un riesgo importante, ya que podr\u00eda permitir a los atacantes obtener informaci\u00f3n confidencial del historial de chat de otros usuarios.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}],\"cvssMetricV30\":[{\"source\":\"security@huntr.dev\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security@huntr.dev\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gaizhenbiao:chuanhuchatgpt:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"20240919-4\",\"matchCriteriaId\":\"57443B25-BE0F-460B-A3B8-7678188C00CC\"}]}]}],\"references\":[{\"url\":\"https://github.com/gaizhenbiao/chuanhuchatgpt/commit/ccc7479ace5c9e1a1d9f4daf2e794ffd3865fc2b\",\"source\":\"security@huntr.dev\"},{\"url\":\"https://huntr.com/bounties/ed32fc32-cb8f-4fbd-8209-cc835d279699\",\"source\":\"security@huntr.dev\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://huntr.com/bounties/ed32fc32-cb8f-4fbd-8209-cc835d279699\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Patch\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://huntr.com/bounties/ed32fc32-cb8f-4fbd-8209-cc835d279699\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T20:12:06.467Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-3404\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-06-06T19:40:35.850902Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:gaizhenbiao:chuanhuchatgpt:*:*:*:*:*:*:*:*\"], \"vendor\": \"gaizhenbiao\", \"product\": \"chuanhuchatgpt\", \"versions\": [{\"status\": \"affected\", \"version\": \"20240121\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-06-06T19:42:14.027Z\"}}], \"cna\": {\"title\": \"Improper Access Control in gaizhenbiao/chuanhuchatgpt\", \"source\": {\"advisory\": \"ed32fc32-cb8f-4fbd-8209-cc835d279699\", \"discovery\": \"EXTERNAL\"}, \"metrics\": [{\"cvssV3_0\": {\"scope\": \"UNCHANGED\", \"version\": \"3.0\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"gaizhenbiao\", \"product\": \"gaizhenbiao/chuanhuchatgpt\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"latest\"}]}], \"references\": [{\"url\": \"https://huntr.com/bounties/ed32fc32-cb8f-4fbd-8209-cc835d279699\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"In gaizhenbiao/chuanhuchatgpt, specifically the version tagged as 20240121, there exists a vulnerability due to improper access control mechanisms. This flaw allows an authenticated attacker to bypass intended access restrictions and read the `history` files of other users, potentially leading to unauthorized access to sensitive information. The vulnerability is present in the application\u0027s handling of access control for the `history` path, where no adequate mechanism is in place to prevent an authenticated user from accessing another user\u0027s chat history files. This issue poses a significant risk as it could allow attackers to obtain sensitive information from the chat history of other users.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-284\", \"description\": \"CWE-284 Improper Access Control\"}]}], \"providerMetadata\": {\"orgId\": \"c09c270a-b464-47c1-9133-acb35b22c19a\", \"shortName\": \"@huntr_ai\", \"dateUpdated\": \"2024-06-06T18:45:12.500Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-3404\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-01T20:12:06.467Z\", \"dateReserved\": \"2024-04-05T18:12:08.080Z\", \"assignerOrgId\": \"c09c270a-b464-47c1-9133-acb35b22c19a\", \"datePublished\": \"2024-06-06T18:45:12.500Z\", \"assignerShortName\": \"@huntr_ai\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.