Local File Inclusion (LFI)

2024-04-1210:13:46

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

local file inclusion

vulnerability

improper validation

user-supplied input

file paths

uploadbutton

file uploads

arbitrary files

filesystem manipulation

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

Confidence

High

EPSS

0.001

Percentile

21.4%

JSON

gradio is vulnerable to a Local File Inclusion. This vulnerability is due to improper validation of user-supplied input in the UploadButton component, specifically in the handling of file paths during file uploads to the /queue/join endpoint, which allows attackers to read arbitrary files on the filesystem by manipulating the uploaded file path.