CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS
Percentile
51.1%
There are two separate security vulnerabilities here: (1) a security vulnerability that allows users to read arbitrary files on the machines that are running shared Gradio apps (2) the ability of users to use machines that are sharing Gradio apps to proxy arbitrary URLs
Both problems have been solved, please upgrade gradio
to 3.34.0
or higher
Not possible to workaround except by taking down any shared Gradio apps
Relevant PRs:
Vendor | Product | Version | CPE |
---|---|---|---|
gradio_project | gradio | * | cpe:2.3:a:gradio_project:gradio:*:*:*:*:*:python:*:* |
github.com/advisories/GHSA-3qqg-pgqq-3695
github.com/gradio-app/gradio/commit/37967617bd97615fb6f3b44e7750c0e0be58479a
github.com/gradio-app/gradio/commit/37967617bd97615fb6f3b44e7750c0e0be58479a#diff-324a7165f5d5a8823a28b76f5653fa45f32c8144c82b2e528882c97c7eae534f
github.com/gradio-app/gradio/commit/cd64130d54e678525774bbb200ef9c7166fa1543
github.com/gradio-app/gradio/pull/4370
github.com/gradio-app/gradio/pull/4406
github.com/gradio-app/gradio/security/advisories/GHSA-3qqg-pgqq-3695
github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2023-90.yaml
nvd.nist.gov/vuln/detail/CVE-2023-34239