CVE-2024-1729

2024-03-2905:15:45

Google

osv.dev

cve-2024-1729

software

timing attack

password vulnerability

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

0.0004 Low

EPSS

Percentile

9.1%

JSON

A timing attack vulnerability exists in the gradio-app/gradio repository, specifically within the login function in routes.py. The vulnerability arises from the use of a direct comparison operation (app.auth[username] == password) to validate user credentials, which can be exploited to guess passwords based on response times. Successful exploitation of this vulnerability could allow an attacker to bypass authentication mechanisms and gain unauthorized access.

CPENameOperatorVersion
gradioeq@gradio/[email protected]
gradioeq@gradio/[email protected]
gradioeq@gradio/[email protected]
gradioeq@gradio/[email protected]
gradioeq@gradio/[email protected]
gradioeq@gradio/[email protected]
gradioeq@gradio/[email protected]
gradioeq@gradio/[email protected]
gradioeq@gradio/[email protected]
gradioeq3.12.0b7

Name	Operator	Version
gradio	eq	@gradio/[email protected]
gradio	eq	@gradio/[email protected]
gradio	eq	@gradio/[email protected]
gradio	eq	@gradio/[email protected]
gradio	eq	@gradio/[email protected]
gradio	eq	@gradio/[email protected]
gradio	eq	@gradio/[email protected]
gradio	eq	@gradio/[email protected]
gradio	eq	@gradio/[email protected]
gradio	eq	3.12.0b7