Secrets Exfiltration Vulnerability in Gradio Deploy-Website Workflow
CVE-2024-4254

7.1HIGH

Key Information:

Vendor: Gradio-app
Status: Gradio-app/gradio
Vendor: CVE Published:; 4 June 2024

What is CVE-2024-4254?

A vulnerability exists in the 'deploy-website.yml' workflow within the Gradio App repository that exposes significant risks through improper authorization practices. This vulnerability allows for the potential exfiltration of sensitive secrets, including GITHUB_TOKEN, HF_TOKEN, and AWSACCESSKEYID, because the workflow performs an explicit checkout and execution of code from a forked repository. This risky behavior enables the execution of untrusted code in an environment with permissions to push changes to the base repository and access sensitive data. Such flaws can severely compromise the integrity of the environment and the confidentiality of sensitive tokens used in deployment. Security measures must be implemented to prevent unauthorized access and mitigate the risk of data leaks.

Affected Version(s)

gradio-app/gradio <= unspecified

References

https://huntr.com/bounties/59873fbd-5698-4ec3-87f9-5d70c6...

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 4, 2024
Vulnerability Reserved
Apr 26, 2024

Gradio-app

What is CVE-2024-4254?

Affected Version(s)

References

CVSS V3.1

Timeline