Cyber Resilience

CVE-2024-7962

HighPublic PoC

Published: 29 October 2024

Published
29 October 2024
Modified
01 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0041 61.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-7962 is a high-severity Path Traversal: '\..\filename' (CWE-29) vulnerability in Gaizhenbiao Chuanhuchatgpt. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 38.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Privacy and Disclosure risk domain; MITRE ATLAS techniques in scope: Obtain Capabilities (AML.T0016), Poison Training Data (AML.T0020), Establish Accounts (AML.T0021).

EU & UK References

Vulnerability details

An arbitrary file read vulnerability exists in gaizhenbiao/chuanhuchatgpt version 20240628 due to insufficient validation when loading prompt template files. An attacker can read any file that matches specific criteria using an absolute path. The file must not have a .json…

more

extension and, except for the first line, every other line must contain commas. This vulnerability allows reading parts of format-compliant files, including code and log files, which may contain highly sensitive information such as account credentials.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
chuanhuchatgpt is a self-hosted, open-source ChatGPT-like AI chat platform (web UI for LLM interactions), fitting the Enterprise AI Assistants category as it provides an assistant interface for generative AI usage.

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1654 Log Enumeration Discovery
Adversaries may enumerate system and service logs to find useful data.
Why these techniques?

Arbitrary file read in public-facing web app (T1190) enables collection of local system data (T1005), including credentials in files (T1081, T1552.001) and logs (T1654).

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0016: Obtain CapabilitiesAML.T0020: Poison Training DataAML.T0021: Establish AccountsAML.T0030AML.T0031: Erode AI Model IntegrityAML.T0032

Affected Assets

gaizhenbiao
chuanhuchatgpt
20240628

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References