Secrets Exfiltration Vulnerability in Gradio Deploy-Website Workflow
CVE-2024-4254

7.1HIGH

Key Information:

Vendor

Gradio-app

Status
Gradio-app/gradio
Vendor
CVE Published:
4 June 2024

What is CVE-2024-4254?

A vulnerability exists in the 'deploy-website.yml' workflow within the Gradio App repository that exposes significant risks through improper authorization practices. This vulnerability allows for the potential exfiltration of sensitive secrets, including GITHUB_TOKEN, HF_TOKEN, and AWSACCESSKEYID, because the workflow performs an explicit checkout and execution of code from a forked repository. This risky behavior enables the execution of untrusted code in an environment with permissions to push changes to the base repository and access sensitive data. Such flaws can severely compromise the integrity of the environment and the confidentiality of sensitive tokens used in deployment. Security measures must be implemented to prevent unauthorized access and mitigate the risk of data leaks.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

gradio-app/gradio <= unspecified

References

https://huntr.com/bounties/59873fbd-5698-4ec3-87f9-5d70c6...

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

CVSS V3.0

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.