CVE-2023-34239
HIGH7.3EPSS 0.28%Gradio vulnerable to arbitrary file read and proxying of arbitrary URLs
發布日:2023/6/9修改日:2025/2/21
描述
### Impact There are two separate security vulnerabilities here: (1) a security vulnerability that allows users to read arbitrary files on the machines that are running shared Gradio apps (2) the ability of users to use machines that are sharing Gradio apps to proxy arbitrary URLs ### Patches Both problems have been solved, please upgrade `gradio` to `3.34.0` or higher ### Workarounds Not possible to workaround except by taking down any shared Gradio apps ### References Relevant PRs: * https://github.com/gradio-app/gradio/pull/4406 * https://github.com/gradio-app/gradio/pull/4370
受影響套件(2)
- PyPI/gradiofrom 0, < 3.34.0
- PyPI/gradiofrom 0, < 3.34.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH7.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
參考連結(9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-34239
- PATCHhttps://github.com/gradio-app/gradio
- WEBhttps://github.com/gradio-app/gradio/commit/37967617bd97615fb6f3b44e7750c0e0be58479a
- WEBhttps://github.com/gradio-app/gradio/commit/37967617bd97615fb6f3b44e7750c0e0be58479a#diff-324a7165f5d5a8823a28b76f5653fa45f32c8144c82b2e528882c97c7eae534f
- WEBhttps://github.com/gradio-app/gradio/commit/cd64130d54e678525774bbb200ef9c7166fa1543
- WEBhttps://github.com/gradio-app/gradio/pull/4370
- WEBhttps://github.com/gradio-app/gradio/pull/4406
- WEBhttps://github.com/gradio-app/gradio/security/advisories/GHSA-3qqg-pgqq-3695
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2023-90.yaml