Lucene search

@huntr_aiVULNRICHMENT:CVE-2024-1727

HistoryMar 21, 2024 - 7:57 p.m.

CVE-2024-1727 CSRF Vulnerability in gradio-app/gradio

2024-03-2119:57:39

CWE-352

@huntr_ai

github.com

cve-2024-1727

cross-site request forgery

gradio

file upload

denial of service

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

AI Score

6.7

Confidence

High

EPSS

Percentile

9.0%

SSVC

Exploitation

poc

Automatable

Technical Impact

partial

JSON

A Cross-Site Request Forgery (CSRF) vulnerability in gradio-app/gradio allows attackers to upload multiple large files to a victim’s system if they are running Gradio locally. By crafting a malicious HTML page that triggers an unauthorized file upload to the victim’s server, an attacker can deplete the system’s disk space, potentially leading to a denial of service. This issue affects the file upload functionality as implemented in gradio/routes.py.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:gradio_project:gradio:4.16.0:*:*:*:*:*:*:*"
    ],
    "vendor": "gradio_project",
    "product": "gradio",
    "versions": [
      {
        "status": "affected",
        "version": "4.16.0"
      }
    ],
    "defaultStatus": "unknown"
  }
]

References

github.com/gradio-app/gradio/commit/84802ee6a4806c25287344dce581f9548a99834a

huntr.com/bounties/a94d55fb-0770-4cbe-9b20-97a978a2ffff

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

AI Score

6.7

Confidence

High

EPSS

Percentile

9.0%

SSVC

Exploitation

poc

Automatable

Technical Impact

partial

JSON

Related for VULNRICHMENT:CVE-2024-1727