CVE-2023-33979

gpt_academic provides a graphical interface for ChatGPT/GLM. A vulnerability was found in gpt_academic 3.37 and prior. This issue affects some unknown processing of the component Configuration File Handler. The manipulation of the argument file leads to information disclosure. Since no sensitive files are configured to be off-limits, sensitive information files in some working directories can be read through the `/file` route, leading to sensitive information leakage. This affects users that uses file configurations via `config.py`, `config_private.py`, `Dockerfile`. A patch is available at commit 1dcc2873d2168ad2d3d70afcb453ac1695fbdf02. As a workaround, one may use environment variables instead of `config*.py` files to configure this project, or use docker-compose installation to configure this project.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/binary-husky/gpt_academic/commit/1dcc2873d2168ad2d3d70afcb453ac1695fbdf02	Patch
https://github.com/binary-husky/gpt_academic/security/advisories/GHSA-pg65-p24m-wf5g	Patch Vendor Advisory
https://github.com/binary-husky/gpt_academic/commit/1dcc2873d2168ad2d3d70afcb453ac1695fbdf02	Patch
https://github.com/binary-husky/gpt_academic/security/advisories/GHSA-pg65-p24m-wf5g	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:binary-husky:gpt_academic:*:*:*:*:*:*:*:*

History

07 Mar 2025, 15:30

Type	Values Removed	Values Added
CPE	cpe:2.3:a:gpt_academic_project:gpt_academic::::::::	cpe:2.3:a:binary-husky:gpt_academic::::::::
First Time		Binary-husky gpt Academic Binary-husky

Information

Published : 2023-05-31 19:15

Updated : 2025-03-07 15:30

NVD link : CVE-2023-33979

Mitre link : CVE-2023-33979

CVE.ORG link : CVE-2023-33979

JSON object : View

Products Affected

binary-husky

gpt_academic

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2023-33979", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2023-05-31T19:15:27.163", "references": [{"url": "https://github.com/binary-husky/gpt_academic/commit/1dcc2873d2168ad2d3d70afcb453ac1695fbdf02", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/binary-husky/gpt_academic/security/advisories/GHSA-pg65-p24m-wf5g", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/binary-husky/gpt_academic/commit/1dcc2873d2168ad2d3d70afcb453ac1695fbdf02", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/binary-husky/gpt_academic/security/advisories/GHSA-pg65-p24m-wf5g", "tags": ["Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "gpt_academic provides a graphical interface for ChatGPT/GLM. A vulnerability was found in gpt_academic 3.37 and prior. This issue affects some unknown processing of the component Configuration File Handler. The manipulation of the argument file leads to information disclosure. Since no sensitive files are configured to be off-limits, sensitive information files in some working directories can be read through the `/file` route, leading to sensitive information leakage. This affects users that uses file configurations via `config.py`, `config_private.py`, `Dockerfile`. A patch is available at commit 1dcc2873d2168ad2d3d70afcb453ac1695fbdf02. As a workaround, one may use environment variables instead of `config*.py` files to configure this project, or use docker-compose installation to configure this project."}], "lastModified": "2025-03-07T15:30:57.390", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:binary-husky:gpt_academic:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1D81EE9C-45BE-44E6-97CC-F839A18169DA", "versionEndExcluding": "3.37"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}