CVE-2024-8143
Published: 29 October 2024
Summary
CVE-2024-8143 is a medium-severity Data Access Operations Outside of Expected Data Manager Component (CWE-1057) vulnerability in Gaizhenbiao Chuanhuchatgpt. Its CVSS base score is 4.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 41.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Privacy and Disclosure risk domain.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-0023
Vulnerability details
In the latest version (20240628) of gaizhenbiao/chuanhuchatgpt, an issue exists in the /file endpoint that allows authenticated users to access the chat history of other users. When a user logs in, a directory is created in the history folder with…
more
the user's name. By manipulating the /file endpoint, an authenticated user can enumerate and access files in other users' directories, leading to unauthorized access to private chat histories. This vulnerability can be exploited to read any user's private chat history.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- ChuanHuChatGPT is a web-based chat interface and platform for interacting with LLMs like ChatGPT, fitting the Enterprise AI Assistants category as it provides user-facing AI chat functionality with history management.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows authenticated users to manipulate the /file endpoint to enumerate directories named after other users (T1087.001 Local Account) and access their chat history files (T1083 File and Directory Discovery, T1005 Data from Local System).
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.