CVE-2024-5124
HIGHCVSS v3
7.5
HIGH
EPSS Score
46.1%
exploit probability
CISA KEV
No
known exploited
Exploitation
—
SSVC status
Description
A timing attack vulnerability exists in the gaizhenbiao/chuanhuchatgpt repository, specifically within the password comparison logic. The vulnerability is present in version 20240310 of the software, where passwords are compared using the '=' operator in Python. This method of comparison allows an attacker to guess passwords based on the timing of each character's comparison. The issue arises from the code segment that checks a password for a particular username, which can lead to the exposure of sensitive information to an unauthorized actor. An attacker exploiting this vulnerability could potentially guess user passwords, compromising the security of the system.
Technical Details
- Published
- 6/6/2024
Frequently Asked Questions
What is CVE-2024-5124?
A timing attack vulnerability exists in the gaizhenbiao/chuanhuchatgpt repository, specifically within the password comparison logic. The vulnerability is present in version 20240310 of the software, where passwords are compared using the '=' operator in Python. This method of comparison allows an attacker to guess passwords based on the timing of each character's comparison. The issue arises from the code segment that checks a password for a particular username, which can lead to the exposure of sensitive information to an unauthorized actor. An attacker exploiting this vulnerability could potentially guess user passwords, compromising the security of the system.
Is CVE-2024-5124 actively exploited?
Active exploitation of CVE-2024-5124 has not been confirmed. The EPSS score is 46.1%, indicating the estimated probability of exploitation in the next 30 days.
What is the CVSS score for CVE-2024-5124?
CVE-2024-5124 has a CVSS v3 base score of 7.5 (HIGH severity).
Is CVE-2024-5124 affecting your environment?
Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.