CVE-2024-6038 — HIGH (7.5) — White Hats Nepal

Vulnerability Description

A Regular Expression Denial of Service (ReDoS) vulnerability exists in the latest version of gaizhenbiao/chuanhuchatgpt. The vulnerability is located in the filter_history function within the utils.py module. This function takes a user-provided keyword and attempts to match it against chat history filenames using a regular expression search. Due to the lack of sanitization or validation of the keyword parameter, an attacker can inject a specially crafted regular expression, leading to a denial of service condition. This can cause severe degradation of service performance and potential system unavailability.

CVSS Score

7.5

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Gaizhenbiao	Chuanhuchatgpt	20240410

Related Weaknesses (CWE)

CWE-1333

References

https://github.com/gaizhenbiao/chuanhuchatgpt/commit/fcdd5fd6b05ef537a1db185ab11
https://huntr.com/bounties/d41cca0a-82bc-4cbf-a52a-928d304fb42dExploitThird Party Advisory
https://huntr.com/bounties/d41cca0a-82bc-4cbf-a52a-928d304fb42dExploitThird Party Advisory

FAQ

What is CVE-2024-6038?

CVE-2024-6038 is a vulnerability with a CVSS score of 7.5 (HIGH). A Regular Expression Denial of Service (ReDoS) vulnerability exists in the latest version of gaizhenbiao/chuanhuchatgpt. The vulnerability is located in the filter_history function within the utils.py...

How severe is CVE-2024-6038?

CVE-2024-6038 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-6038?

Check the references section above for vendor advisories and patch information. Affected products include: Gaizhenbiao Chuanhuchatgpt.