CVE-2024-1728
HIGH7.5EPSS 85.1%Gradio allows users to access arbitrary files
發布日:2024/4/10修改日:2026/2/3
描述
### Impact This vulnerability allows users of Gradio applications that have a public link (such as on Hugging Face Spaces) to access files on the machine hosting the Gradio application. This involves intercepting and modifying the network requests made by the Gradio app to the server. ### Patches Yes, the problem has been patched in Gradio version 4.19.2 or higher. We have no knowledge of this exploit being used against users of Gradio applications, but we encourage all users to upgrade to Gradio 4.19.2 or higher. Fixed in: https://github.com/gradio-app/gradio/commit/16fbe9cd0cffa9f2a824a0165beb43446114eec7 CVE: https://nvd.nist.gov/vuln/detail/CVE-2024-1728
受影響套件(2)
- PyPI/gradiofrom 0, < 4.19.2
- PyPI/gradiofrom 0, < 4.19.2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-1728
- PATCHhttps://github.com/gradio-app/gradio
- WEBhttps://github.com/gradio-app/gradio/commit/16fbe9cd0cffa9f2a824a0165beb43446114eec7
- WEBhttps://github.com/gradio-app/gradio/security/advisories/GHSA-m842-4qm8-7gpq
- WEBhttps://huntr.com/bounties/9bb33b71-7995-425d-91cc-2c2a2f2a068a