CVE-2024-5124
Last modified
CVE-2024-5124 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. A timing attack vulnerability exists in the gaizhenbiao/chuanhuchatgpt repository, specifically within the password comparison logic. The vulnerability is present in version 20240310 of the software, where passwords are compared using the '=' operator in Python. EPSS estimates a 1.41% chance of exploitation in the next 30 days.
Description
A timing attack vulnerability exists in the gaizhenbiao/chuanhuchatgpt repository, specifically within the password comparison logic. The vulnerability is present in version 20240310 of the software, where passwords are compared using the '=' operator in Python. This method of comparison allows an attacker to guess passwords based on the timing of each character's comparison. The issue arises from the code segment that checks a password for a particular username, which can lead to the exposure of sensitive information to an unauthorized actor. An attacker exploiting this vulnerability could potentially guess user passwords, compromising the security of the system.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Gaizhenbiao | Chuanhuchatgpt | < 20240628 |
References
- https://huntr.com/bounties/e85ec077-930a-4597-975f-9341d2805641Exploit, Third Party Advisory
- https://huntr.com/bounties/e85ec077-930a-4597-975f-9341d2805641Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2024-5124?
How severe is CVE-2024-5124?
How do I fix CVE-2024-5124?
Are you affected by CVE-2024-5124?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST