CVE-2023-34239 – gradio

Package

Manager: pip
Name: gradio
Vulnerable Version: >=0 <3.34.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.0021 pctl0.43436

Details

Gradio vulnerable to arbitrary file read and proxying of arbitrary URLs ### Impact There are two separate security vulnerabilities here: (1) a security vulnerability that allows users to read arbitrary files on the machines that are running shared Gradio apps (2) the ability of users to use machines that are sharing Gradio apps to proxy arbitrary URLs ### Patches Both problems have been solved, please upgrade `gradio` to `3.34.0` or higher ### Workarounds Not possible to workaround except by taking down any shared Gradio apps ### References Relevant PRs: * https://github.com/gradio-app/gradio/pull/4406 * https://github.com/gradio-app/gradio/pull/4370

Metadata

Created: 2023-06-09T22:51:19Z
Modified: 2024-09-20T21:19:30Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-3qqg-pgqq-3695/GHSA-3qqg-pgqq-3695.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-3qqg-pgqq-3695
Finding: F184
Auto approve: 1