How severe is CVE-2024-47869?

This vulnerability has a severity rating of LOW with a CVSS score of 3.7 out of 10.

What type of vulnerability is CVE-2024-47869?

This is classified as CWE-203, which is a common weakness in software security.

CVE-2024-47869 - LOW Severity | CVSS 3.7

Vulnerability Description

Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves a **timing attack** in the way Gradio compares hashes for the `analytics_dashboard` function. Since the comparison is not done in constant time, an attacker could exploit this by measuring the response time of different requests to infer the correct hash byte-by-byte. This can lead to unauthorized access to the analytics dashboard, especially if the attacker can repeatedly query the system with different keys. Users are advised to upgrade to `gradio>4.44` to mitigate this issue. To mitigate the risk before applying the patch, developers can manually patch the `analytics_dashboard` dashboard to use a **constant-time comparison** function for comparing sensitive values, such as hashes. Alternatively, access to the analytics dashboard can be disabled.

Related Vulnerabilities

CVE-2019-11743

LOW

CVSS:3.7(Low)

Navigation events were not fully adhering to the W3C's "Navigation-Timing Level 2" draft specification in some instances for the unload event, which restricts access to detailed timing attributes to o...

CWE-2032019

CVE-2019-1563

LOW

CVSS:3.7(Low)

In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recove...

CWE-2032019

CVE-2020-1968

LOW

CVSS:3.7(Low)

The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphers...

CWE-2032020

CVE-2020-3585

LOW

CVSS:3.7(Low)

A vulnerability in the TLS handler of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software for Cisco Firepower 1000 Series firewalls could allow an unauth...

CWE-2032020

CVE-2020-9389

LOW

CVSS:3.7(Low)

A username enumeration issue was discovered in SquaredUp before version 4.6.0. The login functionality was implemented in a way that would enable a malicious user to guess valid username due to a diff...

CWE-2032020

CVE-2021-29687

LOW

CVSS:3.7(Low)

IBM Security Identity Manager 7.0.2 could allow a remote user to enumerate usernames due to a difference of responses from valid and invalid login attempts. IBM X-Force ID: 200018

CWE-2032021