Lucene search

Veracode Vulnerability DatabaseVERACODE:45620

HistoryFeb 23, 2024 - 1:28 p.m.

Timing Attack

2024-02-2313:28:57

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

gradio

timing attack

vulnerability

string comparison

python

rate-limiting

brute-force

username

password

account

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

7.1 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

gradio is vulnerable to Timing Attack. The vulnerability is due to string comparisons in Python terminating early upon encountering a string mismatch. This allows an attacker to take advantage of the default lack of rate-limiting, to brute-force the correct username and password of an account.

CPENameOperatorVersion
gradiole4.19.1
gradiole4.19.1

CPE	Name	Operator	Version
	gradio	le	4.19.1
	gradio	le	4.19.1

References

github.com/advisories/GHSA-hmx6-r76c-85g9

github.com/gradio-app/gradio/commit/e329f1fd38935213fe0e73962e8cbd5d3af6e87b

huntr.com/bounties/f6a10a8d-f538-4cb7-9bb2-85d9f5708124

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

7.1 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for VERACODE:45620