CVE-2022-24770 – gradio

Package

Manager: pip
Name: gradio
Vulnerable Version: >=0 <2.8.11

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00561 pctl0.67307

Details

Improper Neutralization of Formula Elements in a CSV File in Gradio Flagging ### Impact The `gradio` library has a flagging functionality which saves input/output data into a CSV file on the developer's computer. This can allow a user to save arbitrary text into the CSV file, such as commands. If a program like MS Excel opens such a file, then it automatically runs these commands, which could lead to arbitrary commands running on the user's computer. ### Patches The problem has been patched as of `2.8.11`, which escapes the data saved to the csv with single quotes. ### Workarounds If you are using an older version of `gradio`, don't open csv files generated by `gradio` with Excel or similar spreadsheet programs.

Metadata

Created: 2022-03-18T23:11:43Z
Modified: 2022-03-18T23:11:43Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-f8xq-q7px-wg8c/GHSA-f8xq-q7px-wg8c.json
CWE IDs: ["CWE-1236"]
Alternative ID: GHSA-f8xq-q7px-wg8c
Finding: F090
Auto approve: 1