SSRF Vulnerability in Upload Processing Interface
A Server-Side Request Forgery (SSRF) vulnerability was discovered in the upload processing interface of ChuanhuChatGPT, affecting versions up to ChuanhuChatGPT-20240410-git.zip. The vulnerability allows attackers to send crafted requests from the vulnerable server to internal or external resources. The issue has not yet been patched.
Available publicly on Jun 14 2024
Threat Overview
The SSRF vulnerability in the upload processing interface allows an attacker to manipulate the server into making requests to arbitrary locations. This can lead to unauthorized access to internal systems, data theft, service disruption, and potentially further attacks such as port scanning or accessing metadata endpoints. The vulnerability is particularly dangerous because it can bypass security controls and access sensitive data.
Attack Scenario
An attacker could exploit this vulnerability by crafting a malicious payload that includes a URL pointing to an internal resource. By sending this payload to the vulnerable upload processing interface, the attacker can trick the server into making a request to the specified URL. This could allow the attacker to access sensitive internal data, perform port scans, or interact with other internal services.
Who is affected
Users and administrators of ChuanhuChatGPT versions up to ChuanhuChatGPT-20240410-git.zip are affected by this vulnerability. This includes any deployments where the upload processing interface is exposed to untrusted input.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.