CVE-2021-43831

Опубликовано: 15 дек. 2021

Источник: nvd

CVSS3: 7.7

CVSS2: 3.5

EPSS Средний

Описание

Gradio is an open source framework for building interactive machine learning models and demos. In versions prior to 2.5.0 there is a vulnerability that affects anyone who creates and publicly shares Gradio interfaces. File paths are not restricted and users who receive a Gradio link can access any files on the host computer if they know the file names or file paths. This is limited only by the host operating system. Paths are opened in read only mode. The problem has been patched in gradio 2.5.0.

Ссылки

https://github.com/gradio-app/gradio/commit/41bd3645bdb616e1248b2167ca83636a2653f781
Patch
Third Party Advisory
https://github.com/gradio-app/gradio/security/advisories/GHSA-rhq2-3vr9-6mcr
Exploit
Third Party Advisory
https://github.com/gradio-app/gradio/commit/41bd3645bdb616e1248b2167ca83636a2653f781
Patch
Third Party Advisory
https://github.com/gradio-app/gradio/security/advisories/GHSA-rhq2-3vr9-6mcr
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:gradio_project:gradio:*:*:*:*:*:python:*:*

Версия до 2.5.0 (исключая)

EPSS

Процентиль: 97%

0.30342

Средний

7.7 High

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-22

Связанные уязвимости

GHSA-rhq2-3vr9-6mcr

CVSS3: 8.3

github

около 4 лет назад

Files on the host computer can be accessed from the Gradio interface