Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Timing Attack Vulnerability in parisneo/lollms
Vulnerability Description
The parisneo/lollms repository is affected by a timing attack vulnerability in the `authenticate_user` function within the `lollms_authentication.py` file. This vulnerability allows attackers to enumerate valid usernames and guess passwords incrementally by analyzing response time differences. The affected version is the latest, and the issue is resolved in version 20.1. The vulnerability arises from the use of Python's default string equality operator for password comparison, which compares characters sequentially and exits on the first mismatch, leading to variable response times based on the number of matching initial characters.
CVSS Information
N/A
Vulnerability Type
通过差异性导致的信息暴露
Vulnerability Title
LoLLMs 安全漏洞
Vulnerability Description
LoLLMs是Saifeddine ALOUI个人开发者的一个大型语言与多模态系统。 LoLLMs存在安全漏洞,该漏洞源于lollms_authentication.py中authenticate_user函数存在时间差攻击风险,可能导致用户名枚举和密码猜测。
CVSS Information
N/A
Vulnerability Type
N/A