漏洞标题
GPT_academic的配置文件文件易受到文件信息泄露攻击
漏洞描述信息
gpt_academic的配置文件存在文件信息泄露漏洞
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
漏洞类别
对路径名的限制不恰当(路径遍历)
漏洞标题
gpt_academic's Configuration File vulnerable to File Information Disclosure
漏洞描述信息
gpt_academic provides a graphical interface for ChatGPT/GLM. A vulnerability was found in gpt_academic 3.37 and prior. This issue affects some unknown processing of the component Configuration File Handler. The manipulation of the argument file leads to information disclosure. Since no sensitive files are configured to be off-limits, sensitive information files in some working directories can be read through the `/file` route, leading to sensitive information leakage. This affects users that uses file configurations via `config.py`, `config_private.py`, `Dockerfile`. A patch is available at commit 1dcc2873d2168ad2d3d70afcb453ac1695fbdf02. As a workaround, one may use environment variables instead of `config*.py` files to configure this project, or use docker-compose installation to configure this project.
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
漏洞类别
信息暴露
漏洞标题
gpt_academic 信息泄露漏洞
漏洞描述信息
gpt_academic是为ChatGPT/GLM提供图形交互界面,特别优化论文阅读润色体验。 gpt_academic 3.37及之前版本存在安全漏洞,该漏洞源于没有配置敏感文件禁止访问,攻击者利用该漏洞可以读取敏感信息文件。
CVSS信息
N/A
漏洞类别
信息泄露