Lucene search

Veracode Vulnerability DatabaseVERACODE:46091

HistoryMar 29, 2024 - 10:52 a.m.

Command Injection

2024-03-2910:52:56

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

gradio commandinjection shellscript vulnerability unauthorizedmodification baserepository secretsexfiltration

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

7.4 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

gradio is vulnerable to Command Injection. The vulnerability is due to expressions inside of ${{ }} being evaluated and substituted with resulting values before the shell script is run, making it susceptible to injection attacks. The vulnerability allows for unauthorized modification of the base repository and secrets exfiltration.

CPENameOperatorVersion
gradiole4.17.0
gradiole4.17.0

CPE	Name	Operator	Version
	gradio	le	4.17.0
	gradio	le	4.17.0

References

github.com/gradio-app/gradio/commit/d56bb28df80d8db1f33e4acf4f6b2c4f87cb8b28

huntr.com/bounties/0e39e974-9a66-476f-91f5-3f37abb03d77

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

7.4 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for VERACODE:46091