PT-2021-23963 · Gradio · Gradio
Haby0
·
Published
2021-12-15
·
Updated
2022-01-21
·
CVE-2021-43831
CVSS v4.0
9.3
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions:
Gradio versions prior to 2.5.0
Description:
The issue affects users who create and publicly share Gradio interfaces. File paths are not restricted, allowing users who receive a Gradio link to access any files on the host computer if they know the file names or file paths, limited only by the host operating system. The files are opened in read-only mode. There is no evidence that this issue was ever exploited.
Recommendations:
For Gradio versions prior to 2.5.0, update to version 2.5.0 or later to resolve the issue. As a temporary workaround, consider avoiding the sharing of Gradio interfaces until the update is applied. Restrict access to sensitive files on the host computer to minimize the risk of exploitation.
Exploit
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Gradio