Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Gradio
(Gradio_project)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 22 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2023-02-23 | CVE-2023-25823 | Gradio is an open-source Python library to build machine learning and data science demos and web applications. Versions prior to 3.13.1 contain Use of Hard-coded Credentials. When using Gradio's share links (i.e. creating a Gradio app and then setting `share=True`), a private SSH key is sent to any user that connects to the Gradio machine, which means that a user could access other users' shared Gradio demos. From there, other exploits are possible depending on the level of access/exposure... | Gradio | 9.8 | ||
| 2023-06-08 | CVE-2023-34239 | Gradio is an open-source Python library that is used to build machine learning and data science. Due to a lack of path filtering Gradio does not properly restrict file access to users. Additionally Gradio does not properly restrict the what URLs are proxied. These issues have been addressed in version 3.34.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | Gradio | 9.1 | ||
| 2023-09-15 | CVE-2023-41626 | Gradio v3.27.0 was discovered to contain an arbitrary file upload vulnerability via the /upload interface. | Gradio | 4.8 | ||
| 2023-12-14 | CVE-2023-6572 | Command Injection in GitHub repository gradio-app/gradio prior to main. | Gradio | 8.1 | ||
| 2023-12-22 | CVE-2023-51449 | Gradio is an open-source Python package that allows you to quickly build a demo or web application for your machine learning model, API, or any arbitary Python function. Versions of `gradio` prior to 4.11.0 contained a vulnerability in the `/file` route which made them susceptible to file traversal attacks in which an attacker could access arbitrary files on a machine running a Gradio app with a public URL (e.g. if the demo was created with `share=True`, or on Hugging Face Spaces) if they... | Gradio | 7.5 | ||
| 2024-02-05 | CVE-2024-0964 | A local file include could be remotely triggered in Gradio due to a vulnerable user-supplied JSON value in an API request. | Gradio | 9.4 | ||
| 2024-06-06 | CVE-2024-4325 | A Server-Side Request Forgery (SSRF) vulnerability exists in the gradio-app/gradio version 4.21.0, specifically within the `/queue/join` endpoint and the `save_url_to_cache` function. The vulnerability arises when the `path` value, obtained from the user and expected to be a URL, is used to make an HTTP request without sufficient validation checks. This flaw allows an attacker to send crafted requests that could lead to unauthorized access to the local network or the AWS metadata endpoint,... | Gradio | 8.6 | ||
| 2024-06-06 | CVE-2024-4941 | A local file inclusion vulnerability exists in the JSON component of gradio-app/gradio version 4.25. The vulnerability arises from improper input validation in the `postprocess()` function within `gradio/components/json_component.py`, where a user-controlled string is parsed as JSON. If the parsed JSON object contains a `path` key, the specified file is moved to a temporary directory, making it possible to retrieve it later via the `/file=..` endpoint. This issue is due to the... | Gradio | 7.5 | ||
| 2024-10-10 | CVE-2024-47867 | Gradio is an open-source Python package designed for quick prototyping. This vulnerability is a **lack of integrity check** on the downloaded FRP client, which could potentially allow attackers to introduce malicious code. If an attacker gains access to the remote URL from which the FRP client is downloaded, they could modify the binary without detection, as the Gradio server does not verify the file's checksum or signature. Any users utilizing the Gradio server's sharing mechanism that... | Gradio | 7.5 | ||
| 2024-10-10 | CVE-2024-47084 | Gradio is an open-source Python package designed for quick prototyping. This vulnerability is related to **CORS origin validation**, where the Gradio server fails to validate the request origin when a cookie is present. This allows an attacker’s website to make unauthorized requests to a local Gradio server. Potentially, attackers can upload files, steal authentication tokens, and access user data if the victim visits a malicious website while logged into Gradio. This impacts users who have... | Gradio | 8.3 |