CVE-2024-10707

Name of the Vulnerable Software and Affected Versions gaizhenbiao/chuanhuchatgpt version git d4ec6a3

Description The issue is related to a local file inclusion vulnerability due to the use of the gradio component gr.JSON. This vulnerability allows unauthenticated users to access arbitrary files on the server by exploiting the improper input validation in the handle dataset selection function. An attacker can upload a specially crafted JSON file to achieve this.

Recommendations For gaizhenbiao/chuanhuchatgpt version git d4ec6a3, as a temporary workaround, consider disabling the handle dataset selection function until a patch is available. Restrict access to the gr.JSON component to minimize the risk of exploitation. Avoid using the gr.JSON component in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.