Files on the host computer can be accessed from the Gradio interface
CVE-2021-43831

7.7HIGH

Key Information:

Vendor: Gradio-app
Status: Gradio
Vendor: CVE Published:; 15 December 2021

What is CVE-2021-43831?

Gradio is an open source framework for building interactive machine learning models and demos. In versions prior to 2.5.0 there is a vulnerability that affects anyone who creates and publicly shares Gradio interfaces. File paths are not restricted and users who receive a Gradio link can access any files on the host computer if they know the file names or file paths. This is limited only by the host operating system. Paths are opened in read only mode. The problem has been patched in gradio 2.5.0.

Affected Version(s)

gradio < 2.5.0

References

https://github.com/gradio-app/gradio/security/advisories/...

x_refsource_CONFIRM

https://github.com/gradio-app/gradio/commit/41bd3645bdb61...

x_refsource_MISC

EPSS Score

30% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 15, 2021
Vulnerability Reserved
Nov 16, 2021