Command Injection in gradio-app/gradio via deploy+test-visual.yml workflow
CVE-2024-1540

8.2HIGH

Key Information:

Vendor: Gradio-app
Status: Gradio-app/gradio
Vendor: CVE Published:; 27 March 2024

What is CVE-2024-1540?

A command injection vulnerability exists in the deploy+test-visual.yml workflow of Gradio. This vulnerability is attributed to improper neutralization of special elements used in command execution. Attackers can exploit this flaw to execute unauthorized commands, which may lead to unauthorized modifications of the base repository along with potential secrets exfiltration. The risk arises from the unsafe handling of GitHub context information, where expressions within ${{ }} are evaluated and substituted before the execution of underlying scripts. To mitigate this issue, it is essential to ensure that untrusted input values are directed to intermediate environment variables, preventing them from directly influencing script generation.

Affected Version(s)

gradio-app/gradio < unspecified

References

https://huntr.com/bounties/0e39e974-9a66-476f-91f5-3f37ab...

https://github.com/gradio-app/gradio/commit/d56bb28df80d8...

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 27, 2024
Vulnerability Reserved
Feb 15, 2024

Gradio-app

What is CVE-2024-1540?

Affected Version(s)

References

CVSS V3.1

Timeline