Miggo Logo

CVE-2024-1729: Gradio apps vulnerable to timing attacks to guess password

5.9

CVSS Score
3.0

Basic Information

EPSS Score
0.19063%
Published
2/22/2024
Updated
4/8/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
gradiopip< 4.19.24.19.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from direct password comparison using 'app.auth[username] == password' in the login route. This insecure comparison leaks timing information because Python's string comparison short-circuits on first mismatch. The commit patched this by replacing it with hmac.compare_digest in a new compare_passwords_securely function. The routes.py modification in the diff clearly shows the vulnerable comparison was in the login handler.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T*is s**urity poli*y is wit* r***r*s to * timin* *tt**k t**t *llows us*rs o* *r**io *pps to pot*nti*lly *u*ss t** p*sswor* o* p*sswor*-prot**t** *r**io *pps. T*is r*li*s on t** ***t t**t strin* *omp*risons in Pyt*on t*rmin*t* **rly, *s soo

Reasoning

T** vuln*r**ility st*mm** *rom *ir**t p*sswor* *omp*rison usin* '*pp.*ut*[us*rn*m*] == p*sswor*' in t** lo*in rout*. T*is ins**ur* *omp*rison l**ks timin* in*orm*tion ****us* Pyt*on's strin* *omp*rison s*ort-*ir*uits on *irst mism*t**. T** *ommit p*t