CVE-2024-1729 Vulnerability Details

  /     /     /  

CVE-2024-1729 Metadata Quick Info

CVE Published: 29/03/2024 | CVE Updated: 01/08/2024 | CVE Year: 2024
Source: @huntr_ai | Vendor: gradio-app | Product: gradio-app/gradio
Status : PUBLISHED

---

CVE-2024-1729 Description

A timing attack vulnerability exists in the gradio-app/gradio repository, specifically within the login function in routes.py. The vulnerability arises from the use of a direct comparison operation (`app.auth[username] == password`) to validate user credentials, which can be exploited to guess passwords based on response times. Successful exploitation of this vulnerability could allow an attacker to bypass authentication mechanisms and gain unauthorized access.

Metrics

CVSS Version: 3.1 | Base Score: n/a
Vector: n/a

l➤ Exploitability Metrics:
    Attack Vector (AV)*
    Attack Complexity (AC)*
    Privileges Required (PR)*
    User Interaction (UI)*
    Scope (S)*

l➤ Impact Metrics:
    Confidentiality Impact (C)*
    Integrity Impact (I)*
    Availability Impact (A)*

Weakness Enumeration (CWE)

CWE-ID: CWE-367
CWE Name: CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
Source: gradio-app

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).