Lucene search

K
githubGitHub Advisory DatabaseGHSA-3QQG-PGQQ-3695
HistoryJun 09, 2023 - 10:51 p.m.

Gradio vulnerable to arbitrary file read and proxying of arbitrary URLs

2023-06-0922:51:19
CWE-20
GitHub Advisory Database
github.com
116
arbitrary file read
proxying urls
shared apps
software vulnerability
update required

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS

0.001

Percentile

51.1%

Impact

There are two separate security vulnerabilities here: (1) a security vulnerability that allows users to read arbitrary files on the machines that are running shared Gradio apps (2) the ability of users to use machines that are sharing Gradio apps to proxy arbitrary URLs

Patches

Both problems have been solved, please upgrade gradio to 3.34.0 or higher

Workarounds

Not possible to workaround except by taking down any shared Gradio apps

References

Relevant PRs:

Affected configurations

Vulners
Node
gradio_projectgradioRange<3.34.0python
VendorProductVersionCPE
gradio_projectgradio*cpe:2.3:a:gradio_project:gradio:*:*:*:*:*:python:*:*

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS

0.001

Percentile

51.1%

Related for GHSA-3QQG-PGQQ-3695