cvelistv5 - cve-2023-51449

URL	Tags
security-advisories@github.com	https://github.com/gradio-app/gradio/commit/1b9d4234d6c25ef250d882c7b90e1f4039ed2d76	Patch
security-advisories@github.com	https://github.com/gradio-app/gradio/commit/7ba8c5da45b004edd12c0460be9222f5b5f5f055	Patch
security-advisories@github.com	https://github.com/gradio-app/gradio/security/advisories/GHSA-6qm2-wpxq-7qh2	Third Party Advisory

▼	Vendor	Product
	gradio-app	gradio

ghsa-6qm2-wpxq-7qh2

Vulnerability from github

Published

2023-12-21 18:24

Modified

2024-02-16 21:52

Severity ?

8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Summary

Gradio makes the `/file` secure against file traversal and server-side request forgery attacks

Details

Older versions of gradio contained a vulnerability in the /file route which made them susceptible to file traversal attacks in which an attacker could access arbitrary files on a machine running a Gradio app with a public URL (e.g. if the demo was created with share=True, or on Hugging Face Spaces) if they knew the path of files to look for.

This was not possible through regular URLs passed into a browser, but it was possible through the use of programmatic tools such as curl with the --pass-as-is flag.

Furthermore, the /file route in Gradio apps also contained a vulnerability that made it possible to use it for SSRF attacks.

Both of these vulnerabilities have been fixed in gradio==4.11.0

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "gradio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-51449"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-21T18:24:28Z",
    "nvd_published_at": "2023-12-22T21:15:09Z",
    "severity": "HIGH"
  },
  "details": "Older versions of `gradio` contained a vulnerability in the `/file` route which made them susceptible to file traversal attacks in which an attacker could access arbitrary files on a machine running a Gradio app with a public URL (e.g. if the demo was created with `share=True`, or on Hugging Face Spaces) if they knew the path of files to look for. \n\nThis was not possible through regular URLs passed into a browser, but it was possible through the use of programmatic tools such as `curl` with the `--pass-as-is` flag. \n\nFurthermore,  the `/file` route in Gradio apps also contained a vulnerability that made it possible to use it for SSRF attacks.\n\nBoth of these vulnerabilities have been fixed in `gradio==4.11.0`",
  "id": "GHSA-6qm2-wpxq-7qh2",
  "modified": "2024-02-16T21:52:40Z",
  "published": "2023-12-21T18:24:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-6qm2-wpxq-7qh2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51449"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gradio-app/gradio/commit/1b9d4234d6c25ef250d882c7b90e1f4039ed2d76"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gradio-app/gradio/commit/7ba8c5da45b004edd12c0460be9222f5b5f5f055"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gradio-app/gradio"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2023-249.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Gradio makes the `/file` secure against file traversal and server-side request forgery attacks"
}

gsd-2023-51449

Vulnerability from gsd

Modified

2023-12-21 06:01

Details

Gradio is an open-source Python package that allows you to quickly build a demo or web application for your machine learning model, API, or any arbitary Python function. Versions of `gradio` prior to 4.11.0 contained a vulnerability in the `/file` route which made them susceptible to file traversal attacks in which an attacker could access arbitrary files on a machine running a Gradio app with a public URL (e.g. if the demo was created with `share=True`, or on Hugging Face Spaces) if they knew the path of files to look for. This issue has been patched in version 4.11.0.

Aliases

CVE-2023-51449

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-51449"
      ],
      "details": "Gradio is an open-source Python package that allows you to quickly build a demo or web application for your machine learning model, API, or any arbitary Python function. Versions of `gradio` prior to 4.11.0 contained a vulnerability in the `/file` route which made them susceptible to file traversal attacks in which an attacker could access arbitrary files on a machine running a Gradio app with a public URL (e.g. if the demo was created with `share=True`, or on Hugging Face Spaces) if they knew the path of files to look for. This issue has been patched in version 4.11.0.",
      "id": "GSD-2023-51449",
      "modified": "2023-12-21T06:01:31.589067Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-51449",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "gradio",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 4.11.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "gradio-app"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Gradio is an open-source Python package that allows you to quickly build a demo or web application for your machine learning model, API, or any arbitary Python function. Versions of `gradio` prior to 4.11.0 contained a vulnerability in the `/file` route which made them susceptible to file traversal attacks in which an attacker could access arbitrary files on a machine running a Gradio app with a public URL (e.g. if the demo was created with `share=True`, or on Hugging Face Spaces) if they knew the path of files to look for. This issue has been patched in version 4.11.0."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-22",
                "lang": "eng",
                "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/gradio-app/gradio/security/advisories/GHSA-6qm2-wpxq-7qh2",
            "refsource": "MISC",
            "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-6qm2-wpxq-7qh2"
          },
          {
            "name": "https://github.com/gradio-app/gradio/commit/1b9d4234d6c25ef250d882c7b90e1f4039ed2d76",
            "refsource": "MISC",
            "url": "https://github.com/gradio-app/gradio/commit/1b9d4234d6c25ef250d882c7b90e1f4039ed2d76"
          },
          {
            "name": "https://github.com/gradio-app/gradio/commit/7ba8c5da45b004edd12c0460be9222f5b5f5f055",
            "refsource": "MISC",
            "url": "https://github.com/gradio-app/gradio/commit/7ba8c5da45b004edd12c0460be9222f5b5f5f055"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-6qm2-wpxq-7qh2",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:gradio_project:gradio:*:*:*:*:*:python:*:*",
                    "matchCriteriaId": "2ED6F199-2E15-4A3C-978D-0F6712D53C4C",
                    "versionEndExcluding": "4.11.0",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "Gradio is an open-source Python package that allows you to quickly build a demo or web application for your machine learning model, API, or any arbitary Python function. Versions of `gradio` prior to 4.11.0 contained a vulnerability in the `/file` route which made them susceptible to file traversal attacks in which an attacker could access arbitrary files on a machine running a Gradio app with a public URL (e.g. if the demo was created with `share=True`, or on Hugging Face Spaces) if they knew the path of files to look for. This issue has been patched in version 4.11.0."
          },
          {
            "lang": "es",
            "value": "Gradio es un paquete Python de c\u00f3digo abierto que le permite crear r\u00e1pidamente una demostraci\u00f3n o una aplicaci\u00f3n web para su modelo de aprendizaje autom\u00e1tico, API o cualquier funci\u00f3n arbitraria de Python. Las versiones de `gradio` anteriores a la 4.11.0 conten\u00edan una vulnerabilidad en la ruta `/file` que las hac\u00eda susceptibles a ataques transversales de archivos en los que un atacante pod\u00eda acceder a archivos arbitrarios en una m\u00e1quina que ejecutaba una aplicaci\u00f3n Gradio con una URL p\u00fablica (por ejemplo, si la demostraci\u00f3n se cre\u00f3 con `share=True`, o en Hugging Face Spaces) si conoc\u00edan la ruta de los archivos a buscar. Este problema se solucion\u00f3 en la versi\u00f3n 4.11.0."
          }
        ],
        "id": "CVE-2023-51449",
        "lastModified": "2024-01-09T20:18:05.027",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 3.6,
              "source": "nvd@nist.gov",
              "type": "Primary"
            },
            {
              "cvssData": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.6,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              },
              "exploitabilityScore": 2.2,
              "impactScore": 3.4,
              "source": "security-advisories@github.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2023-12-22T21:15:09.000",
        "references": [
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Patch"
            ],
            "url": "https://github.com/gradio-app/gradio/commit/1b9d4234d6c25ef250d882c7b90e1f4039ed2d76"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Patch"
            ],
            "url": "https://github.com/gradio-app/gradio/commit/7ba8c5da45b004edd12c0460be9222f5b5f5f055"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-6qm2-wpxq-7qh2"
          }
        ],
        "sourceIdentifier": "security-advisories@github.com",
        "vulnStatus": "Analyzed",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-22"
              }
            ],
            "source": "security-advisories@github.com",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

pysec-2023-249

Vulnerability from pysec

Published

2023-12-22 21:15

Modified

2024-01-17 11:19

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

Gradio is an open-source Python package that allows you to quickly build a demo or web application for your machine learning model, API, or any arbitary Python function. Versions of gradio prior to 4.11.0 contained a vulnerability in the /file route which made them susceptible to file traversal attacks in which an attacker could access arbitrary files on a machine running a Gradio app with a public URL (e.g. if the demo was created with share=True, or on Hugging Face Spaces) if they knew the path of files to look for. This issue has been patched in version 4.11.0.

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "gradio",
        "purl": "pkg:pypi/gradio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1b9d4234d6c25ef250d882c7b90e1f4039ed2d76"
            },
            {
              "fixed": "7ba8c5da45b004edd12c0460be9222f5b5f5f055"
            }
          ],
          "repo": "https://github.com/gradio-app/gradio",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.1.0",
        "0.1.1",
        "0.1.2",
        "0.1.3",
        "0.1.4",
        "0.1.5",
        "0.1.6",
        "0.1.7",
        "0.1.8",
        "0.1.9",
        "0.2.0",
        "0.2.1",
        "0.3.0",
        "0.3.1",
        "0.3.2",
        "0.3.3",
        "0.3.4",
        "0.3.5",
        "0.4.0",
        "0.4.1",
        "0.4.2",
        "0.4.4",
        "0.5.0",
        "0.7.0",
        "0.7.1",
        "0.7.2",
        "0.7.3",
        "0.7.4",
        "0.7.5",
        "0.7.6",
        "0.7.7",
        "0.7.8",
        "0.8.0",
        "0.8.1",
        "0.9.0",
        "0.9.1",
        "0.9.2",
        "0.9.3",
        "0.9.4",
        "0.9.5",
        "0.9.6",
        "0.9.7",
        "0.9.8",
        "0.9.9.2",
        "0.9.9.3",
        "0.9.9.5",
        "0.9.9.6",
        "0.9.9.7",
        "0.9.9.8",
        "0.9.9.9",
        "0.9.9.9.2",
        "1.0.0",
        "1.0.0a1",
        "1.0.0a3",
        "1.0.0a4",
        "1.0.1",
        "1.0.2",
        "1.0.3",
        "1.0.4",
        "1.0.5",
        "1.0.6",
        "1.0.7",
        "1.1.0",
        "1.1.1",
        "1.1.2",
        "1.1.3",
        "1.1.4",
        "1.1.5",
        "1.1.6",
        "1.1.8",
        "1.1.8.1",
        "1.1.9",
        "1.2.2",
        "1.2.3",
        "1.3.0",
        "1.3.1",
        "1.3.2",
        "1.4.0",
        "1.4.2",
        "1.4.3",
        "1.4.4",
        "1.5.0",
        "1.5.1",
        "1.5.3",
        "1.5.4",
        "1.6.0",
        "1.6.1",
        "1.6.2",
        "1.6.3",
        "1.6.4",
        "1.7.0",
        "1.7.1",
        "1.7.2",
        "1.7.3",
        "1.7.4",
        "1.7.5",
        "1.7.6",
        "1.7.7",
        "2.0.0",
        "2.0.1",
        "2.0.10",
        "2.0.2",
        "2.0.4",
        "2.0.5",
        "2.0.6",
        "2.0.7",
        "2.0.8",
        "2.0.9",
        "2.1.0",
        "2.1.1",
        "2.1.2",
        "2.1.4",
        "2.1.6",
        "2.1.7",
        "2.2.0",
        "2.2.1",
        "2.2.10",
        "2.2.11",
        "2.2.12",
        "2.2.13",
        "2.2.14",
        "2.2.15",
        "2.2.2",
        "2.2.3",
        "2.2.4",
        "2.2.5",
        "2.2.6",
        "2.2.7",
        "2.2.8",
        "2.2.9a0",
        "2.2.9a2",
        "2.3.0",
        "2.3.0a0",
        "2.3.0b101",
        "2.3.0b102",
        "2.3.0b99",
        "2.3.3",
        "2.3.4",
        "2.3.5",
        "2.3.5b0",
        "2.3.6",
        "2.3.7",
        "2.3.7b0",
        "2.3.7b1",
        "2.3.7b2",
        "2.3.8b0",
        "2.3.9",
        "2.4.0",
        "2.4.0a0",
        "2.4.1",
        "2.4.2",
        "2.4.4",
        "2.4.5",
        "2.4.6",
        "2.4.7b0",
        "2.4.7b2",
        "2.4.7b3",
        "2.4.7b4",
        "2.4.7b5",
        "2.4.7b6",
        "2.4.7b7",
        "2.4.7b8",
        "2.4.7b9",
        "2.5.0",
        "2.5.1",
        "2.5.2",
        "2.5.3",
        "2.5.8a0",
        "2.6.0",
        "2.6.1",
        "2.6.1a0",
        "2.6.1b0",
        "2.6.1b3",
        "2.6.2",
        "2.6.3",
        "2.6.4",
        "2.6.4b0",
        "2.6.4b2",
        "2.6.4b3",
        "2.7.0",
        "2.7.0a101",
        "2.7.0a102",
        "2.7.0b70",
        "2.7.5",
        "2.7.5.1",
        "2.7.5.2",
        "2.7.5.2b0",
        "2.8.0",
        "2.8.0a100",
        "2.8.0b0",
        "2.8.0b10",
        "2.8.0b12",
        "2.8.0b2",
        "2.8.0b20",
        "2.8.0b22",
        "2.8.0b3",
        "2.8.0b4",
        "2.8.0b5",
        "2.8.0b6",
        "2.8.1",
        "2.8.10",
        "2.8.11",
        "2.8.12",
        "2.8.13",
        "2.8.14",
        "2.8.2",
        "2.8.3",
        "2.8.4",
        "2.8.5",
        "2.8.6",
        "2.8.7",
        "2.8.8",
        "2.8.9",
        "2.9.0",
        "2.9.0.1",
        "2.9.0b0",
        "2.9.0b1",
        "2.9.0b10",
        "2.9.0b2",
        "2.9.0b3",
        "2.9.0b5",
        "2.9.0b6",
        "2.9.0b7",
        "2.9.0b8",
        "2.9.0b9",
        "2.9.1",
        "2.9.2",
        "2.9.3",
        "2.9.4",
        "2.9b11",
        "2.9b12",
        "2.9b13",
        "2.9b14",
        "2.9b15",
        "2.9b20",
        "2.9b21",
        "2.9b22",
        "2.9b23",
        "2.9b24",
        "2.9b25",
        "2.9b26",
        "2.9b27",
        "2.9b28",
        "2.9b30",
        "2.9b31",
        "2.9b32",
        "2.9b33",
        "2.9b40",
        "2.9b48",
        "2.9b50",
        "3.0",
        "3.0.1",
        "3.0.10",
        "3.0.10b16",
        "3.0.10b2",
        "3.0.11",
        "3.0.11b1",
        "3.0.12",
        "3.0.13",
        "3.0.13b100",
        "3.0.13b13",
        "3.0.13b15",
        "3.0.14",
        "3.0.15",
        "3.0.16",
        "3.0.17",
        "3.0.18",
        "3.0.18b0",
        "3.0.19",
        "3.0.19b0",
        "3.0.19b1",
        "3.0.19b2",
        "3.0.1b120",
        "3.0.1b121",
        "3.0.1b300",
        "3.0.2",
        "3.0.20",
        "3.0.20.dev0",
        "3.0.21",
        "3.0.22",
        "3.0.23",
        "3.0.23.dev1",
        "3.0.24",
        "3.0.25",
        "3.0.26",
        "3.0.3",
        "3.0.4",
        "3.0.5",
        "3.0.6",
        "3.0.6b1",
        "3.0.6b2",
        "3.0.6b3",
        "3.0.7",
        "3.0.8",
        "3.0.8b1",
        "3.0.9",
        "3.0.9b10",
        "3.0.9b11",
        "3.0.9b20",
        "3.0b0",
        "3.0b1",
        "3.0b10",
        "3.0b2",
        "3.0b5",
        "3.0b6",
        "3.0b8",
        "3.0b9",
        "3.1.0",
        "3.1.1",
        "3.1.2",
        "3.1.3",
        "3.1.3a0",
        "3.1.3a2",
        "3.1.3a3",
        "3.1.3a4",
        "3.1.3a5",
        "3.1.4",
        "3.1.4b0",
        "3.1.4b1",
        "3.1.4b2",
        "3.1.4b3",
        "3.1.4b4",
        "3.1.4b5",
        "3.1.5",
        "3.1.5b1",
        "3.1.5b10",
        "3.1.5b2",
        "3.1.5b3",
        "3.1.5b4",
        "3.1.5b5",
        "3.1.5b7",
        "3.1.5b8",
        "3.1.5b9",
        "3.1.6",
        "3.1.6b1",
        "3.1.7",
        "3.1.8b0",
        "3.1.8b2",
        "3.1.8b3",
        "3.1.8b4",
        "3.1.8b6",
        "3.10.0",
        "3.10.1",
        "3.11.0",
        "3.12.0",
        "3.12.0b1",
        "3.12.0b2",
        "3.12.0b3",
        "3.12.0b6",
        "3.12.0b7",
        "3.13.0",
        "3.13.0b1",
        "3.13.1",
        "3.13.1b0",
        "3.13.1b1",
        "3.13.1b2",
        "3.13.2",
        "3.14.0",
        "3.14.0a1",
        "3.15.0",
        "3.16.0",
        "3.16.1",
        "3.16.1b1",
        "3.16.2",
        "3.17.0",
        "3.17.1",
        "3.17.1b1",
        "3.17.1b2",
        "3.18.0",
        "3.18.1b1",
        "3.18.1b2",
        "3.18.1b3",
        "3.18.1b4",
        "3.18.1b5",
        "3.18.1b6",
        "3.18.1b7",
        "3.19.0",
        "3.19.1",
        "3.2",
        "3.2.1b0",
        "3.2.1b1",
        "3.2.1b2",
        "3.20.0",
        "3.20.0b1",
        "3.20.0b2",
        "3.20.1",
        "3.21.0",
        "3.22.0",
        "3.22.1",
        "3.22.1b1",
        "3.23.0",
        "3.23.1b1",
        "3.23.1b2",
        "3.23.1b3",
        "3.24.0",
        "3.24.1",
        "3.25.0",
        "3.25.1b1",
        "3.25.1b2",
        "3.26.0",
        "3.27.0",
        "3.28.0",
        "3.28.1",
        "3.28.2",
        "3.28.3",
        "3.28.4b0",
        "3.29.0",
        "3.3",
        "3.3.1",
        "3.30.0",
        "3.31.0",
        "3.32.0",
        "3.33.0",
        "3.33.1",
        "3.34.0",
        "3.35.0",
        "3.35.1",
        "3.35.2",
        "3.36.0",
        "3.36.1",
        "3.37.0",
        "3.38.0",
        "3.39.0",
        "3.3b0",
        "3.3b1",
        "3.4",
        "3.4.1",
        "3.40.0",
        "3.40.1",
        "3.41.0",
        "3.41.1",
        "3.41.2",
        "3.42.0",
        "3.43.0",
        "3.43.1",
        "3.43.2",
        "3.44.0",
        "3.44.1",
        "3.44.2",
        "3.44.3",
        "3.44.4",
        "3.45.0",
        "3.45.0b0",
        "3.45.0b1",
        "3.45.0b10",
        "3.45.0b11",
        "3.45.0b12",
        "3.45.0b13",
        "3.45.0b2",
        "3.45.0b3",
        "3.45.0b4",
        "3.45.0b5",
        "3.45.0b6",
        "3.45.0b7",
        "3.45.0b8",
        "3.45.0b9",
        "3.45.1",
        "3.45.2",
        "3.46.0",
        "3.46.1",
        "3.47.0",
        "3.47.1",
        "3.48.0",
        "3.49.0",
        "3.4b0",
        "3.4b1",
        "3.4b2",
        "3.4b3",
        "3.4b5",
        "3.5",
        "3.50.0",
        "3.50.1",
        "3.50.2",
        "3.6",
        "3.6.0b1",
        "3.6.0b10",
        "3.6.0b2",
        "3.6.0b3",
        "3.6.0b7",
        "3.7",
        "3.8",
        "3.8.1",
        "3.8.1.dev1",
        "3.8.2",
        "3.8b1",
        "3.8b2",
        "3.9",
        "3.9.1",
        "4.0.0",
        "4.0.0b15",
        "4.0.1",
        "4.0.2",
        "4.1.0",
        "4.1.1",
        "4.1.2",
        "4.10.0",
        "4.2.0",
        "4.3.0",
        "4.4.0",
        "4.4.1",
        "4.5.0",
        "4.7.0",
        "4.7.1",
        "4.8.0",
        "4.9.0",
        "4.9.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2023-51449",
    "GHSA-6qm2-wpxq-7qh2"
  ],
  "details": "Gradio is an open-source Python package that allows you to quickly build a demo or web application for your machine learning model, API, or any arbitary Python function. Versions of `gradio` prior to 4.11.0 contained a vulnerability in the `/file` route which made them susceptible to file traversal attacks in which an attacker could access arbitrary files on a machine running a Gradio app with a public URL (e.g. if the demo was created with `share=True`, or on Hugging Face Spaces) if they knew the path of files to look for. This issue has been patched in version 4.11.0.",
  "id": "PYSEC-2023-249",
  "modified": "2024-01-17T11:19:18.252182+00:00",
  "published": "2023-12-22T21:15:00+00:00",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-6qm2-wpxq-7qh2"
    },
    {
      "type": "FIX",
      "url": "https://github.com/gradio-app/gradio/commit/1b9d4234d6c25ef250d882c7b90e1f4039ed2d76"
    },
    {
      "type": "FIX",
      "url": "https://github.com/gradio-app/gradio/commit/7ba8c5da45b004edd12c0460be9222f5b5f5f055"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Action not permitted

cve-2023-51449

Vulnerability from cvelistv5

ghsa-6qm2-wpxq-7qh2

Vulnerability from github

gsd-2023-51449

Vulnerability from gsd

pysec-2023-249

Vulnerability from pysec

Tags