CVE-2024-1729

CVSS V2 None CVSS V3 None

Description

A timing attack vulnerability exists in the gradio-app/gradio repository, specifically within the login function in routes.py. The vulnerability arises from the use of a direct comparison operation (`app.auth[username] == password`) to validate user credentials, which can be exploited to guess passwords based on response times. Successful exploitation of this vulnerability could allow an attacker to bypass authentication mechanisms and gain unauthorized access.

Overview

CVE ID
CVE-2024-1729

Assigner
@huntr_ai

Vulnerability Status
PUBLISHED

Published Version
2024-03-29T04:35:12.067Z

Last Modified Date
2024-06-20T18:23:34.756Z

Weakness Enumerations

CWE	URL
CWE-367	http://cwe.mitre.org/data/definitions/367.html

References

Reference URL	Reference Tags
https://huntr.com/bounties/f6a10a8d-f538-4cb7-9bb2-85d9f5708124
https://github.com/gradio-app/gradio/commit/e329f1fd38935213fe0e73962e8cbd5d3af6e87b

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-1729
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1729

History

Created	Old Value	New Value	Data Type	Notes
2024-06-26 06:00:08				Added to TrackCVE