CVE-2024-4254

Name of the Vulnerable Software and Affected Versions gradio-app/gradio (affected versions not specified)

Description The 'deploy-website.yml' workflow in the gradio-app/gradio repository is vulnerable to secrets exfiltration due to improper authorization. This vulnerability arises from the workflow's explicit checkout and execution of code from a fork, allowing the running of untrusted code in an environment with access to push to the base repository and access secrets. Sensitive secrets such as GITHUB TOKEN, HF TOKEN, VERCEL ORG ID, VERCEL PROJECT ID, COMMENT TOKEN, AWSACCESSKEYID, AWSSECRETKEY, and VERCEL TOKEN could be exfiltrated.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.