Skip to content

gpt_academic Configuration File File Information Disclosure

Moderate
binary-husky published GHSA-pg65-p24m-wf5g May 31, 2023

Package

No package listed

Affected versions

<=3.36

Patched versions

3.37

Description

Impact

A vulnerability was found in gpt_academic <=3.36. This issue affects some unknown processing of the component Configuration File Handler. The manipulation of the argument file leads to information disclosure.

Influence users that uses file configerations via config.py, config_private.py, Dockerfile

Patches

1dcc287

Patched after version 3.37

Workarounds

1dcc287

or Using environment variables instead of config*.py files to configure this project, or use docker-compose installation to configure this project

References

https://github.com/binary-husky/gpt_academic

For more information

Since no sensitive files are configured to be off-limits, sensitive information files in some working directories can be read through the /file route, leading to sensitive information leakage

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVE ID

CVE-2023-33979

Credits