Cyber Resilience

CVE-2024-8143

MediumPublic PoC

Published: 29 October 2024

Published
29 October 2024
Modified
31 October 2024
KEV Added
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0019 41.4th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-8143 is a medium-severity Data Access Operations Outside of Expected Data Manager Component (CWE-1057) vulnerability in Gaizhenbiao Chuanhuchatgpt. Its CVSS base score is 4.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 41.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Privacy and Disclosure risk domain.

EU & UK References

Vulnerability details

In the latest version (20240628) of gaizhenbiao/chuanhuchatgpt, an issue exists in the /file endpoint that allows authenticated users to access the chat history of other users. When a user logs in, a directory is created in the history folder with…

more

the user's name. By manipulating the /file endpoint, an authenticated user can enumerate and access files in other users' directories, leading to unauthorized access to private chat histories. This vulnerability can be exploited to read any user's private chat history.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
ChuanHuChatGPT is a web-based chat interface and platform for interacting with LLMs like ChatGPT, fitting the Enterprise AI Assistants category as it provides user-facing AI chat functionality with history management.

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
T1087.001 Local Account Discovery
Adversaries may attempt to get a listing of local system accounts.
Why these techniques?

The vulnerability allows authenticated users to manipulate the /file endpoint to enumerate directories named after other users (T1087.001 Local Account) and access their chat history files (T1083 File and Directory Discovery, T1005 Data from Local System).

Affected Assets

gaizhenbiao
chuanhuchatgpt
2024-06-28

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References