High Severity

gradio

Arbitrary Local File Read in Gradio via Component Method Invocation

A vulnerability in Gradio version 4.12.0 allows attackers to read arbitrary files on the server by exploiting the `/component_server` endpoint to call any method on a `Component` class, specifically `move_resource_to_block_cache()`. This issue was patched in version 4.13.0.

Available publicly on Apr 16 2024

7.5

CVE:

CVE-2024-1561

CWE:

29:Path Traversal: '\..\filename'

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Credit:

ozelis
AssessDetect

Available

Remediate
Remediation Steps
  • Update Gradio to version 4.13.0 or later.
  • Review and restrict access to sensitive files that could be targeted.
  • Implement additional input validation on server endpoints to prevent unauthorized method invocation.
  • Regularly audit and monitor application logs for suspicious activity.
Patch Details
  • Fixed Version: 4.13.0
  • Patch Commit: https://github.com/gradio-app/gradio/commit/24a583688046867ca8b8b02959c441818bdb34a2
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have 291 related security advisories that are available with Sightline Premium.

Sightline logo
About Protect AIPrivacy PolicyTerms of Service
© 2024 Protect AI, Inc.
Slack iconLinkedIn iconYoutube iconX icon