CVE-2024-5124

Public Exploit

Timing Attack Vulnerability in gaizhenbiao/chuanhuchatgpt

Description

A timing attack vulnerability exists in the gaizhenbiao/chuanhuchatgpt repository, specifically within the password comparison logic. The vulnerability is present in version 20240310 of the software, where passwords are compared using the '=' operator in Python. This method of comparison allows an attacker to guess passwords based on the timing of each character's comparison. The issue arises from the code segment that checks a password for a particular username, which can lead to the exposure of sensitive information to an unauthorized actor. An attacker exploiting this vulnerability could potentially guess user passwords, compromising the security of the system.

References

Link	Tags
https://huntr.com/bounties/e85ec077-930a-4597-975f-9341d2805641	third party advisory exploit
https://github.com/gaizhenbiao/chuanhuchatgpt/commit/e46ec4ecd896bc3c88eb9a2f44e8593f3c6761b4

Frequently Asked Questions

What is the severity of CVE-2024-5124?: CVE-2024-5124 has been scored as a high severity vulnerability.
How to fix CVE-2024-5124?: To fix CVE-2024-5124, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-5124 being actively exploited in the wild?: It is possible that CVE-2024-5124 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~31% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-5124?: CVE-2024-5124 affects gaizhenbiao gaizhenbiao/chuanhuchatgpt.

Description

Category

CWE-203 – Observable Discrepancy

References

Frequently Asked Questions