Unfiltered paths in gradio
CVE-2023-34239

9.1CRITICAL

Key Information:

Vendor

gradio-app

Status
gradio
Vendor
CVE Published:
8 June 2023

What is CVE-2023-34239?

Gradio, an open-source Python library widely used for building machine learning and data science applications, has a vulnerability stemming from inadequate path filtering. This flaw permits unauthorized users to access restricted files. Additionally, it fails to restrict proxied URLs effectively, posing further security risks. Users are strongly advised to update to version 3.34.0 to safeguard against these issues, as there are currently no viable workarounds.

Affected Version(s)

gradio < 3.34.0

References

https://github.com/gradio-app/gradio/security/advisories/...
x_refsource_CONFIRM
https://github.com/gradio-app/gradio/pull/4370
x_refsource_MISC
https://github.com/gradio-app/gradio/pull/4406
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.