CVE-2024-47869 Information

Description

Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves a timing attack in the way Gradio compares hashes for the analytics_dashboard function. Since the comparison is not done in constant time an attacker could exploit this by measuring the response time of different requests to infer the correct hash byte-by-byte. This can lead to unauthorized access to the analytics dashboard especially if the attacker can repeatedly query the system with different keys. Users are advised to upgrade to gradio>4.44 to mitigate this issue. To mitigate the risk before applying the patch developers can manually patch the analytics_dashboard dashboard to use a constant-time comparison function for comparing sensitive values such as hashes. Alternatively access to the analytics dashboard can be disabled.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Reference

https://github.com/gradio-app/gradio/security/advisories/GHSA-j757-pf57-f8r4

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

NONE

Base Score

NONE

Base Severity

3.7