GHSA-3x9g-xfj5-fq84 – gradio

Package

Manager: pip
Name: gradio
Vulnerable Version: <0

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CVSS v4.0: N/A

EPSS: N/A pctlN/A

Details

Duplicate Advisory: Cross-Site Request Forgery in Gradio ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-48cq-79qq-6f7x. this link is maintained to preserve external references. ## Original Description A Cross-Site Request Forgery gives attackers the ability to upload many large files to a victim, if they are running Gradio locally. To resolve this a PR tightening the CORS rules around Gradio applications has been submitted. In particular, it checks to see if the host header is localhost (or one of its aliases) and if so, it requires the origin header (if present) to be localhost (or one of its aliases) as well.

Metadata

Created: 2024-03-21T21:31:15Z
Modified: 2024-05-21T14:43:32Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-3x9g-xfj5-fq84/GHSA-3x9g-xfj5-fq84.json
CWE IDs: ["CWE-352"]
Alternative ID: N/A
Finding: N/A
Auto approve: 0