Gradio
CVE-2024-1729
MEDIUM
Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from Vendor (huntr) · only source for this CVE.
CVSS VectorVendor: huntr
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 3 pypi packages depend on gradio (3 direct, 0 indirect)
Ecosystem-wide dependent count for version 4.19.2.
DescriptionCVE.org
A timing attack vulnerability exists in the gradio-app/gradio repository, specifically within the login function in routes.py. The vulnerability arises from the use of a direct comparison operation (app.auth[username] == password) to validate user credentials, which can be exploited to guess passwords based on response times. Successful exploitation of this vulnerability could allow an attacker to bypass authentication mechanisms and gain unauthorized access.
AnalysisAI
A timing attack vulnerability exists in the gradio-app/gradio repository, specifically within the login function in routes.py. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.
Technical ContextAI
This vulnerability is classified under CWE-367. A timing attack vulnerability exists in the gradio-app/gradio repository, specifically within the login function in routes.py. The vulnerability arises from the use of a direct comparison operation (app.auth[username] == password) to validate user credentials, which can be exploited to guess passwords based on response times. Successful exploitation of this vulnerability could allow an attacker to bypass authentication mechanisms and gain unauthorized access. Affected products include: Gradio Project Gradio.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Gradio v4.36.1 was discovered to contain a code injection vulnerability via the component /gradio/component_meta.py. Rat
A local file include could be remotely triggered in Gradio due to a vulnerable user-supplied JSON value in an API reques
A command injection vulnerability exists in the gradio-app/gradio repository, specifically within the 'test-functional.y
A Server-Side Request Forgery (SSRF) vulnerability exists in the gradio-app/gradio version 4.21.0, specifically within t
A path traversal vulnerability exists in the Gradio Audio component of gradio-app/gradio, as of version git 98cbcae. Rat
A command injection vulnerability exists in the deploy+test-visual.yml workflow of the gradio-app/gradio repository, due
Command Injection in GitHub repository gradio-app/gradio prior to main. Rated high severity (CVSS 8.1), this vulnerabili
Gradio is an open source framework for building interactive machine learning models and demos. Rated high severity (CVSS
A Regular Expression Denial of Service (ReDoS) vulnerability exists in the gradio-app/gradio repository, affecting the g
A Denial of Service (DoS) vulnerability was discovered in the file upload feature of gradio-app/gradio version 0.39.1. R
A vulnerability in the dataframe component of gradio-app/gradio (version git 98cbcae) allows for a zip bomb attack. Rate
Gradio versions up to 6.7 contains a vulnerability that allows attackers to read arbitrary files from the file system (C
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today