Lucene search

GitHub Advisory DatabaseGHSA-M842-4QM8-7GPQ

HistorySep 25, 2024 - 9:48 p.m.

Gradio allows users to access arbitrary files

2024-09-2521:48:24

GitHub Advisory Database

github.com

gradio

vulnerability

unauthorized access

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

6.5

Confidence

High

JSON

Impact

This vulnerability allows users of Gradio applications that have a public link (such as on Hugging Face Spaces) to access files on the machine hosting the Gradio application. This involves intercepting and modifying the network requests made by the Gradio app to the server.

Patches

Yes, the problem has been patched in Gradio version 4.19.2 or higher. We have no knowledge of this exploit being used against users of Gradio applications, but we encourage all users to upgrade to Gradio 4.19.2 or higher.

Fixed in: https://github.com/gradio-app/gradio/commit/16fbe9cd0cffa9f2a824a0165beb43446114eec7
CVE: https://nvd.nist.gov/vuln/detail/CVE-2024-1728

Affected configurations

Vulners

Node

gradio_projectgradioRange<4.19.2python

VendorProductVersionCPE
gradio_projectgradio*cpe:2.3:a:gradio_project:gradio:*:*:*:*:*:python:*:*

Vendor	Product	Version	CPE
gradio_project	gradio	*	cpe:2.3:a:gradio_project:gradio::::::python::*

References

github.com/advisories/GHSA-m842-4qm8-7gpq

github.com/gradio-app/gradio/commit/16fbe9cd0cffa9f2a824a0165beb43446114eec7

github.com/gradio-app/gradio/security/advisories/GHSA-m842-4qm8-7gpq

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

6.5

Confidence

High

JSON

Related for GHSA-M842-4QM8-7GPQ