Cyber Resilience

CVE-2024-5124

HighPublic PoC

Published: 06 June 2024

Published
06 June 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.4613 97.7th percentile
Risk Priority 43 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-5124 is a high-severity Observable Discrepancy (CWE-203) vulnerability in Gaizhenbiao Chuanhuchatgpt. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Password Guessing (T1110.001); ranked in the top 2.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Privacy and Disclosure risk domain.

Deeper analysis

A timing attack vulnerability exists in version 20240310 of the gaizhenbiao/chuanhuchatgpt repository, where passwords are compared using Python's '=' operator during authentication checks for a given username. This approach enables observable differences in comparison timing that leak information about password contents, corresponding to CWE-203. The flaw received a CVSS 7.5 score reflecting network-exploitable conditions with high impact on confidentiality and no requirements for authentication or user interaction.

An unauthenticated remote attacker can exploit the vulnerability by measuring response times across repeated authentication attempts with crafted inputs, allowing incremental guessing of valid user passwords and potential unauthorized access to accounts.

The referenced GitHub commit e46ec4ecd896bc3c88eb9a2f44e8593f3c6761b4 implements a fix for the affected password comparison logic, while the associated huntr.com bounty report documents the issue and its remediation. The EPSS score has remained flat at 0.4613 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

A timing attack vulnerability exists in the gaizhenbiao/chuanhuchatgpt repository, specifically within the password comparison logic. The vulnerability is present in version 20240310 of the software, where passwords are compared using the '=' operator in Python. This method of comparison allows…

more

an attacker to guess passwords based on the timing of each character's comparison. The issue arises from the code segment that checks a password for a particular username, which can lead to the exposure of sensitive information to an unauthorized actor. An attacker exploiting this vulnerability could potentially guess user passwords, compromising the security of the system.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
The vulnerability is in gaizhenbiao/chuanhuchatgpt, an open-source ChatGPT-like web UI and assistant interface for LLMs such as OpenAI and others, listed on an AI/ML bug bounty platform (huntr).

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110.001 Password Guessing Credential Access
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
Why these techniques?

The timing attack in password comparison enables password guessing (T1110.001) by allowing attackers to infer correct characters based on response times during authentication attempts.

Affected Assets

gaizhenbiao
chuanhuchatgpt
≤ 20240628

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-203

Misdirection can normalize or falsify responses to eliminate observable discrepancies that aid reconnaissance.

addresses: CWE-203

Observable discrepancies in system behavior can be modulated to create covert storage or timing channels; the required analysis detects and constrains such avenues.

addresses: CWE-203

Prevents attackers from using observable differences in error responses to infer internal system details or state.

References