Sightline

High

gradio

Local File Inclusion via JSON Component

A Local File Inclusion (LFI) vulnerability was identified in the JSON component of a web application, affecting versions 4.25 to 4.31.3. The issue, patched in version 4.31.4, allowed attackers to read local files by manipulating JSON input.

Available publicly on May 30 2024 | Available with Premium on May 21 2024

CVE:

CVE-2024-4941

CWE:

20:Improper Input Validation

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Credit:

ozelis

Assess Detect

Premium

Remediate

Remediation Steps

Update the web application to version 4.31.4 or later.
Review and sanitize all user inputs, especially those that are parsed or processed as JSON.
Implement strict input validation checks to prevent unauthorized file path injections.
Regularly audit and test application components for similar vulnerabilities.

Patch Details

Fixed Version: 4.31.4
Patch Commit: https://github.com/gradio-app/gradio/commit/ee1e2942e0a1ae84a08a05464e41c8108a03fa9c

Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have 568- related security advisories that are available with Sightline Premium.