Local File Inclusion Vulnerability in gradio-app/gradio version 4.25
CVE-2024-4941

7.5HIGH

Key Information:

Vendor

Gradio-app

Status
Gradio-app/gradio
Vendor
CVE Published:
6 June 2024

What is CVE-2024-4941?

A local file inclusion vulnerability affects the JSON component of Gradio version 4.25, originating from inadequate input validation in the postprocess() function found in gradio/components/json_component.py. The flaw allows a user-controlled string to be parsed as JSON, which, if it contains a path key, leads to the movement of the associated file into a temporary directory. This is performed by the processing_utils.move_files_to_cache() function, which traverses the provided object in search of a dictionary containing a path key. Consequently, an attacker can exploit this weakness to access files on the remote system, presenting a notable security threat.

Affected Version(s)

gradio-app/gradio < 4.31.4

References

https://huntr.com/bounties/39889ce1-298d-4568-aecd-7ae40c...
https://github.com/gradio-app/gradio/commit/ee1e2942e0a1a...

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

CVSS V3.0

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.