CVE-2023-33979: gpt_academic's Configuration File vulnerable to File Information Disclosure

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2023-33979

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

gpt_academic's Configuration File vulnerable to File Information Disclosure

Source: NVD (National Vulnerability Database)

Vulnerability Description

gpt_academic provides a graphical interface for ChatGPT/GLM. A vulnerability was found in gpt_academic 3.37 and prior. This issue affects some unknown processing of the component Configuration File Handler. The manipulation of the argument file leads to information disclosure. Since no sensitive files are configured to be off-limits, sensitive information files in some working directories can be read through the `/file` route, leading to sensitive information leakage. This affects users that uses file configurations via `config.py`, `config_private.py`, `Dockerfile`. A patch is available at commit 1dcc2873d2168ad2d3d70afcb453ac1695fbdf02. As a workaround, one may use environment variables instead of `config*.py` files to configure this project, or use docker-compose installation to configure this project.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Source: NVD (National Vulnerability Database)

Vulnerability Type

信息暴露

Source: NVD (National Vulnerability Database)

Vulnerability Title

gpt_academic 信息泄露漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

gpt_academic是为ChatGPT/GLM提供图形交互界面，特别优化论文阅读润色体验。 gpt_academic 3.37及之前版本存在安全漏洞，该漏洞源于没有配置敏感文件禁止访问，攻击者利用该漏洞可以读取敏感信息文件。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
binary-husky	gpt_academic	<= 3.37	-

II. Public POCs for CVE-2023-33979

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2023-33979

Please Login to view more intelligence information

IV. Related Vulnerabilities

Same product: gpt_academic

Same vendor: binary-husky

Same weakness: CWE-200

V. Comments for CVE-2023-33979

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

I. Basic Information for CVE-2023-33979

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2023-33979

III. Intelligence Information for CVE-2023-33979

IV. Related Vulnerabilities

V. Comments for CVE-2023-33979

Leave a comment