Headline
GHSA-j757-pf57-f8r4: Gradio performs a non-constant-time comparison when comparing hashes
Impact
What kind of vulnerability is it? Who is impacted?
This vulnerability involves a timing attack in the way Gradio compares hashes for the analytics_dashboard function. Since the comparison is not done in constant time, an attacker could exploit this by measuring the response time of different requests to infer the correct hash byte-by-byte. This can lead to unauthorized access to the analytics dashboard, especially if the attacker can repeatedly query the system with different keys.
Patches
Yes, please upgrade to gradio>4.44 to mitigate this issue.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
To mitigate the risk before applying the patch, developers can manually patch the analytics_dashboard dashboard to use a constant-time comparison function for comparing sensitive values, such as hashes. Alternatively, access to the analytics dashboard can be disabled.
Impact
What kind of vulnerability is it? Who is impacted?
This vulnerability involves a timing attack in the way Gradio compares hashes for the analytics_dashboard function. Since the comparison is not done in constant time, an attacker could exploit this by measuring the response time of different requests to infer the correct hash byte-by-byte. This can lead to unauthorized access to the analytics dashboard, especially if the attacker can repeatedly query the system with different keys.
Patches
Yes, please upgrade to gradio>4.44 to mitigate this issue.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
To mitigate the risk before applying the patch, developers can manually patch the analytics_dashboard dashboard to use a constant-time comparison function for comparing sensitive values, such as hashes. Alternatively, access to the analytics dashboard can be disabled.
References
- GHSA-j757-pf57-f8r4