CVE-2024-5124

Timing Attack Vulnerability in gaizhenbiao/chuanhuchatgpt

Severity Score

7.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

A timing attack vulnerability exists in the gaizhenbiao/chuanhuchatgpt repository, specifically within the password comparison logic. The vulnerability is present in version 20240310 of the software, where passwords are compared using the '=' operator in Python. This method of comparison allows an attacker to guess passwords based on the timing of each character's comparison. The issue arises from the code segment that checks a password for a particular username, which can lead to the exposure of sensitive information to an unauthorized actor. An attacker exploiting this vulnerability could potentially guess user passwords, compromising the security of the system.

Existe una vulnerabilidad de ataque sincronizado en el repositorio gaizhenbiao/chuanhuchatgpt, específicamente dentro de la lógica de comparación de contraseñas. La vulnerabilidad está presente en la versión 20240310 del software, donde las contraseñas se comparan utilizando el operador '=" en Python. Este método de comparación permite a un atacante adivinar contraseñas basándose en el momento de la comparación de cada carácter. El problema surge del segmento de código que verifica una contraseña para un nombre de usuario en particular, lo que puede llevar a la exposición de información confidencial a un actor no autorizado. Un atacante que aproveche esta vulnerabilidad podría adivinar las contraseñas de los usuarios, comprometiendo la seguridad del sistema.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Yes

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-05-19 CVE Reserved
2024-06-06 CVE Published
2024-10-30 First Exploit
2024-11-14 CVE Updated
2024-12-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-203: Observable Discrepancy

CAPEC

References (4)

URL	Tag	Source
https://huntr.com/bounties/e85ec077-930a-4597-975f-9341d2805641
https://github.com/gaizhenbiao/chuanhuchatgpt/commit/e46ec4ecd896bc3c88eb9a2f44e8593f3c6761b4

URL	Date	SRC
https://github.com/gogo2464/CVE-2024-5124	2024-10-30
https://github.com/XiaomingX/cve-2024-5124-poc	2024-12-05

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Gaizhenbiao Search vendor "Gaizhenbiao"		Chuanhuchatgpt Search vendor "Gaizhenbiao" for product "Chuanhuchatgpt"				*		-		Affected