A timing attack vulnerability exists in the gaizhenbiao/chuanhuchatgpt repository, specifically within the password comparison logic. The vulnerability is present in version 20240310 of the software, where passwords are compared using the '=' operator in Python. This method of comparison allows an attacker to guess passwords based on the timing of each character's comparison. The issue arises from the code segment that checks a password for a particular username, which can lead to the exposure of sensitive information to an unauthorized actor. An attacker exploiting this vulnerability could potentially guess user passwords, compromising the security of the system.
References
Link | Resource |
---|---|
https://github.com/gaizhenbiao/chuanhuchatgpt/commit/e46ec4ecd896bc3c88eb9a2f44e8593f3c6761b4 | |
https://huntr.com/bounties/e85ec077-930a-4597-975f-9341d2805641 | Exploit Third Party Advisory |
Configurations
History
04 Nov 2024, 11:15
Type | Values Removed | Values Added |
---|---|---|
CWE | ||
References |
|
17 Oct 2024, 18:32
Type | Values Removed | Values Added |
---|---|---|
First Time |
Gaizhenbiao
Gaizhenbiao chuanhuchatgpt |
|
CPE | cpe:2.3:a:gaizhenbiao:chuanhuchatgpt:*:*:*:*:*:*:*:* | |
CWE | CWE-203 | |
References | () https://huntr.com/bounties/e85ec077-930a-4597-975f-9341d2805641 - Exploit, Third Party Advisory |
07 Jun 2024, 14:56
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
06 Jun 2024, 19:16
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-06-06 19:16
Updated : 2024-11-04 11:15
NVD link : CVE-2024-5124
Mitre link : CVE-2024-5124
CVE.ORG link : CVE-2024-5124
JSON object : View
Products Affected
gaizhenbiao
- chuanhuchatgpt
CWE
CWE-203
Observable Discrepancy