Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Non-constant-time comparison when comparing hashes in Gradio
Vulnerability Description
Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves a **timing attack** in the way Gradio compares hashes for the `analytics_dashboard` function. Since the comparison is not done in constant time, an attacker could exploit this by measuring the response time of different requests to infer the correct hash byte-by-byte. This can lead to unauthorized access to the analytics dashboard, especially if the attacker can repeatedly query the system with different keys. Users are advised to upgrade to `gradio>4.44` to mitigate this issue. To mitigate the risk before applying the patch, developers can manually patch the `analytics_dashboard` dashboard to use a **constant-time comparison** function for comparing sensitive values, such as hashes. Alternatively, access to the analytics dashboard can be disabled.
CVSS Information
N/A
Vulnerability Type
通过差异性导致的信息暴露
Vulnerability Title
Gradio 安全漏洞
Vulnerability Description
Gradio是Hugging Face开源的一个开源 Python 库,是通过友好的 Web 界面演示机器学习模型的方法。 Gradio存在安全漏洞,该漏洞源于比较不是在恒定时间内完成的,攻击者可以通过测量不同请求的响应时间来逐字节推断正确的哈希值,从而利用这一点。
CVSS Information
N/A
Vulnerability Type
N/A