===================================================================== CERT-Renater Note d'Information No. 2024/VULN015 _____________________________________________________________________ DATE : 05/01/2024 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running gradio versions prior to 4.11.0. ===================================================================== https://github.com/gradio-app/gradio/security/advisories/GHSA-6qm2-wpxq-7qh2 _____________________________________________________________________ Make the `/file` secure against file traversal attacks and SSRF Moderate abidlabs published GHSA-6qm2-wpxq-7qh2 Dec 20, 2023 Package gradio (pip) Affected versions < 4.11.0 Patched versions 4.11.0 Description Older versions of gradio contained a vulnerability in the /file route which made them susceptible to file traversal attacks in which an attacker could access arbitrary files on a machine running a Gradio app with a public URL (e.g. if the demo was created with share=True, or on Hugging Face Spaces) if they knew the path of files to look for. This was not possible through regular URLs passed into a browser, but it was possible through the use of programmatic tools such as curl with the --pass-as-is flag. Furthermore, the /file route in Gradio apps also contained a vulnerability that made it possible to use it for SSRF attacks. Both of these vulnerabilities have been fixed in gradio==4.11.0 Severity Moderate 5.6/ 10 CVSS base metrics Attack vector Network Attack complexity High Privileges required None User interaction None Scope Unchanged Confidentiality Low Integrity Low Availability Low CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVE ID CVE-2023-51449 Weaknesses No CWEs Credits @Yaniv-git Yaniv-git Analyst @nvn1729 nvn1729 Analyst ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================