cvelistv5 - cve-2024-1727

Source	URL	Tags
security@huntr.dev	https://github.com/gradio-app/gradio/commit/84802ee6a4806c25287344dce581f9548a99834a
security@huntr.dev	https://huntr.com/bounties/a94d55fb-0770-4cbe-9b20-97a978a2ffff

Vendor	Product
gradio-app	gradio-app/gradio

ghsa-3x9g-xfj5-fq84

Vulnerability from github

Published

2024-03-21 21:31

Modified

2024-05-21 14:43

Severity

4.3 (Medium) - CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Summary

Duplicate Advisory: Cross-Site Request Forgery in Gradio

Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-48cq-79qq-6f7x. this link is maintained to preserve external references.

Original Description

A Cross-Site Request Forgery gives attackers the ability to upload many large files to a victim, if they are running Gradio locally. To resolve this a PR tightening the CORS rules around Gradio applications has been submitted. In particular, it checks to see if the host header is localhost (or one of its aliases) and if so, it requires the origin header (if present) to be localhost (or one of its aliases) as well.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "gradio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.19.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-352"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-22T13:12:16Z",
    "nvd_published_at": "2024-03-21T20:15:07Z",
    "severity": "MODERATE"
  },
  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-48cq-79qq-6f7x. this link is maintained to preserve external references.\n\n## Original Description\nA Cross-Site Request Forgery gives attackers the ability to upload many large files to a victim, if they are running Gradio locally. To resolve this a PR tightening the CORS rules around Gradio applications has been submitted. In particular, it checks to see if the host header is localhost (or one of its aliases) and if so, it requires the origin header (if present) to be localhost (or one of its aliases) as well.\n\n",
  "id": "GHSA-3x9g-xfj5-fq84",
  "modified": "2024-05-21T14:43:32Z",
  "published": "2024-03-21T21:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1727"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gradio-app/gradio/pull/7503"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gradio-app/gradio/commit/84802ee6a4806c25287344dce581f9548a99834a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gradio-app/gradio"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/a94d55fb-0770-4cbe-9b20-97a978a2ffff"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Duplicate Advisory: Cross-Site Request Forgery in Gradio",
  "withdrawn": "2024-05-21T14:43:32Z"
}

ghsa-48cq-79qq-6f7x

Vulnerability from github

Published

2024-05-21 14:43

Modified

2024-05-21 14:43

Severity

4.3 (Medium) - CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Summary

Gradio applications running locally vulnerable to 3rd party websites accessing routes and uploading files

Details

Impact

This CVE covers the ability of 3rd party websites to access routes and upload files to users running Gradio applications locally. For example, the malicious owners of www.dontvisitme.com could put a script on their website that uploads a large file to http://localhost:7860/upload and anyone who visits their website and has a Gradio app will now have that large file uploaded on their computer

Patches

Yes, the problem has been patched in Gradio version 4.19.2 or higher. We have no knowledge of this exploit being used against users of Gradio applications, but we encourage all users to upgrade to Gradio 4.19.2 or higher.

Fixed in: https://github.com/gradio-app/gradio/commit/84802ee6a4806c25287344dce581f9548a99834a CVE: https://nvd.nist.gov/vuln/detail/CVE-2024-1727

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "gradio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.19.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-1727"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-21T14:43:50Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\nThis CVE covers the ability of 3rd party websites to access routes and upload files to users running Gradio applications locally.  For example, the malicious owners of [www.dontvisitme.com](http://www.dontvisitme.com/) could put a script on their website that uploads a large file to http://localhost:7860/upload and anyone who visits their website and has a Gradio app will now have that large file uploaded on their computer\n\n### Patches\nYes, the problem has been patched in Gradio version 4.19.2 or higher. We have no knowledge of this exploit being used against users of Gradio applications, but we encourage all users to upgrade to Gradio 4.19.2 or higher.\n\nFixed in: https://github.com/gradio-app/gradio/commit/84802ee6a4806c25287344dce581f9548a99834a\nCVE: https://nvd.nist.gov/vuln/detail/CVE-2024-1727",
  "id": "GHSA-48cq-79qq-6f7x",
  "modified": "2024-05-21T14:43:50Z",
  "published": "2024-05-21T14:43:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-48cq-79qq-6f7x"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1727"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gradio-app/gradio/pull/7503"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gradio-app/gradio/commit/84802ee6a4806c25287344dce581f9548a99834a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gradio-app/gradio"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/a94d55fb-0770-4cbe-9b20-97a978a2ffff"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Gradio applications running locally vulnerable to 3rd party websites accessing routes and uploading files"
}

gsd-2024-1727

Vulnerability from gsd

Modified

2024-02-22 06:03

Details

To prevent malicious 3rd party websites from making requests to Gradio applications running locally, this PR tightens the CORS rules around Gradio applications. In particular, it checks to see if the host header is localhost (or one of its aliases) and if so, it requires the origin header (if present) to be localhost (or one of its aliases) as well.

Aliases

CVE-2024-1727

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-1727"
      ],
      "details": "To prevent malicious 3rd party websites from making requests to Gradio applications running locally, this PR tightens the CORS rules around Gradio applications. In particular, it checks to see if the host header is localhost (or one of its aliases) and if so, it requires the origin header (if present) to be localhost (or one of its aliases) as well.\n\n",
      "id": "GSD-2024-1727",
      "modified": "2024-02-22T06:03:33.159309Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@huntr.com",
        "ID": "CVE-2024-1727",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "gradio-app/gradio",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "unspecified",
                          "version_value": "4.19.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "gradio-app"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A Cross-Site Request Forgery (CSRF) vulnerability in gradio-app/gradio allows attackers to upload multiple large files to a victim\u0027s system if they are running Gradio locally. By crafting a malicious HTML page that triggers an unauthorized file upload to the victim\u0027s server, an attacker can deplete the system\u0027s disk space, potentially leading to a denial of service. This issue affects the file upload functionality as implemented in gradio/routes.py."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.0"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-352",
                "lang": "eng",
                "value": "CWE-352 Cross-Site Request Forgery (CSRF)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://huntr.com/bounties/a94d55fb-0770-4cbe-9b20-97a978a2ffff",
            "refsource": "MISC",
            "url": "https://huntr.com/bounties/a94d55fb-0770-4cbe-9b20-97a978a2ffff"
          },
          {
            "name": "https://github.com/gradio-app/gradio/commit/84802ee6a4806c25287344dce581f9548a99834a",
            "refsource": "MISC",
            "url": "https://github.com/gradio-app/gradio/commit/84802ee6a4806c25287344dce581f9548a99834a"
          }
        ]
      },
      "source": {
        "advisory": "a94d55fb-0770-4cbe-9b20-97a978a2ffff",
        "discovery": "EXTERNAL"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "descriptions": [
          {
            "lang": "en",
            "value": "A Cross-Site Request Forgery (CSRF) vulnerability in gradio-app/gradio allows attackers to upload multiple large files to a victim\u0027s system if they are running Gradio locally. By crafting a malicious HTML page that triggers an unauthorized file upload to the victim\u0027s server, an attacker can deplete the system\u0027s disk space, potentially leading to a denial of service. This issue affects the file upload functionality as implemented in gradio/routes.py."
          },
          {
            "lang": "es",
            "value": "Para evitar que sitios web maliciosos de terceros realicen solicitudes a aplicaciones de Gradio que se ejecutan localmente, este PR endurece las reglas CORS en torno a las aplicaciones de Gradio. En particular, verifica si el encabezado del host es localhost (o uno de sus alias) y, de ser as\u00ed, requiere que el encabezado de origen (si est\u00e1 presente) tambi\u00e9n sea localhost (o uno de sus alias)."
          }
        ],
        "id": "CVE-2024-1727",
        "lastModified": "2024-04-16T12:15:09.843",
        "metrics": {
          "cvssMetricV30": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
                "version": "3.0"
              },
              "exploitabilityScore": 2.8,
              "impactScore": 1.4,
              "source": "security@huntr.dev",
              "type": "Secondary"
            }
          ]
        },
        "published": "2024-03-21T20:15:07.620",
        "references": [
          {
            "source": "security@huntr.dev",
            "url": "https://github.com/gradio-app/gradio/commit/84802ee6a4806c25287344dce581f9548a99834a"
          },
          {
            "source": "security@huntr.dev",
            "url": "https://huntr.com/bounties/a94d55fb-0770-4cbe-9b20-97a978a2ffff"
          }
        ],
        "sourceIdentifier": "security@huntr.dev",
        "vulnStatus": "Awaiting Analysis",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-352"
              }
            ],
            "source": "security@huntr.dev",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

Action not permitted

cve-2024-1727

Vulnerability from cvelistv5

ghsa-3x9g-xfj5-fq84

Vulnerability from github

Duplicate Advisory

Original Description

ghsa-48cq-79qq-6f7x

Vulnerability from github

Impact

Patches

gsd-2024-1727

Vulnerability from gsd

Tags