Lucene search

K
vulnrichment@huntr_aiVULNRICHMENT:CVE-2024-1729
HistoryMar 29, 2024 - 4:35 a.m.

CVE-2024-1729 Timing Attack Vulnerability in gradio-app/gradio

2024-03-2904:35:12
CWE-367
@huntr_ai
github.com
1
cve-2024-1729
gradio-app
timing attack
authentication bypass

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

A timing attack vulnerability exists in the gradio-app/gradio repository, specifically within the login function in routes.py. The vulnerability arises from the use of a direct comparison operation (app.auth[username] == password) to validate user credentials, which can be exploited to guess passwords based on response times. Successful exploitation of this vulnerability could allow an attacker to bypass authentication mechanisms and gain unauthorized access.

CNA Affected

[
  {
    "vendor": "gradio-app",
    "product": "gradio-app/gradio",
    "versions": [
      {
        "version": "unspecified",
        "lessThan": "4.19.2",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  }
]

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

Related for VULNRICHMENT:CVE-2024-1729