CVE-2024-1729

2024-03-2905:15:45

CWE-367

@huntr_ai

web.nvd.nist.gov

cve-2024-1729

nvd

password check condition

timing attack

guess the password

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

5.8

Confidence

High

EPSS

Percentile

9.0%

JSON

A timing attack vulnerability exists in the gradio-app/gradio repository, specifically within the login function in routes.py. The vulnerability arises from the use of a direct comparison operation (app.auth[username] == password) to validate user credentials, which can be exploited to guess passwords based on response times. Successful exploitation of this vulnerability could allow an attacker to bypass authentication mechanisms and gain unauthorized access.

Affected configurations

Vulners

Vulnrichment

Node

gradio-appgradio-app\/gradioMatch4.19.2

VendorProductVersionCPE
gradio-appgradio-app\/gradio4.19.2cpe:2.3:a:gradio-app:gradio-app\/gradio:4.19.2:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
gradio-app	gradio-app\/gradio	4.19.2	cpe:2.3:a:gradio-app:gradio-app\/gradio:4.19.2:::::::*

CNA Affected

[
  {
    "vendor": "gradio-app",
    "product": "gradio-app/gradio",
    "versions": [
      {
        "version": "unspecified",
        "lessThan": "4.19.2",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  }
]