GoogleOSV:GHSA-3QQG-PGQQ-3695Gradio vulnerable to arbitrary file read and proxying of arbitrary URLs
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS
Percentile
51.1%
Impact
There are two separate security vulnerabilities here: (1) a security vulnerability that allows users to read arbitrary files on the machines that are running shared Gradio apps (2) the ability of users to use machines that are sharing Gradio apps to proxy arbitrary URLs
Patches
Both problems have been solved, please upgrade gradio to 3.34.0 or higher
Workarounds
Not possible to workaround except by taking down any shared Gradio apps
References
Relevant PRs:
References
github.com/gradio-app/gradio
github.com/gradio-app/gradio/commit/37967617bd97615fb6f3b44e7750c0e0be58479a#diff-324a7165f5d5a8823a28b76f5653fa45f32c8144c82b2e528882c97c7eae534f
github.com/gradio-app/gradio/commit/cd64130d54e678525774bbb200ef9c7166fa1543
github.com/gradio-app/gradio/pull/4370
github.com/gradio-app/gradio/pull/4406
github.com/gradio-app/gradio/security/advisories/GHSA-3qqg-pgqq-3695
github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2023-90.yaml
nvd.nist.gov/vuln/detail/CVE-2023-34239
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS
Percentile
51.1%