CVE-2024-5124

HIGH

CVSS v3

7.5

HIGH

EPSS Score

46.1%

exploit probability

CISA KEV

No

known exploited

Exploitation

SSVC status

Description

A timing attack vulnerability exists in the gaizhenbiao/chuanhuchatgpt repository, specifically within the password comparison logic. The vulnerability is present in version 20240310 of the software, where passwords are compared using the '=' operator in Python. This method of comparison allows an attacker to guess passwords based on the timing of each character's comparison. The issue arises from the code segment that checks a password for a particular username, which can lead to the exposure of sensitive information to an unauthorized actor. An attacker exploiting this vulnerability could potentially guess user passwords, compromising the security of the system.

Technical Details

Published
6/6/2024

Frequently Asked Questions

What is CVE-2024-5124?

A timing attack vulnerability exists in the gaizhenbiao/chuanhuchatgpt repository, specifically within the password comparison logic. The vulnerability is present in version 20240310 of the software, where passwords are compared using the '=' operator in Python. This method of comparison allows an attacker to guess passwords based on the timing of each character's comparison. The issue arises from the code segment that checks a password for a particular username, which can lead to the exposure of sensitive information to an unauthorized actor. An attacker exploiting this vulnerability could potentially guess user passwords, compromising the security of the system.

Is CVE-2024-5124 actively exploited?

Active exploitation of CVE-2024-5124 has not been confirmed. The EPSS score is 46.1%, indicating the estimated probability of exploitation in the next 30 days.

What is the CVSS score for CVE-2024-5124?

CVE-2024-5124 has a CVSS v3 base score of 7.5 (HIGH severity).

Is CVE-2024-5124 affecting your environment?

Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.