CVE-2023-34239

Опубликовано: 08 июн. 2023

Источник: nvd

CVSS3: 7.3

CVSS3: 9.1

EPSS Низкий

Описание

Gradio is an open-source Python library that is used to build machine learning and data science. Due to a lack of path filtering Gradio does not properly restrict file access to users. Additionally Gradio does not properly restrict the what URLs are proxied. These issues have been addressed in version 3.34.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Ссылки

https://github.com/gradio-app/gradio/pull/4370
Patch
https://github.com/gradio-app/gradio/pull/4406
Patch
https://github.com/gradio-app/gradio/security/advisories/GHSA-3qqg-pgqq-3695
Vendor Advisory
https://github.com/gradio-app/gradio/pull/4370
Patch
https://github.com/gradio-app/gradio/pull/4406
Patch
https://github.com/gradio-app/gradio/security/advisories/GHSA-3qqg-pgqq-3695
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:gradio_project:gradio:*:*:*:*:*:python:*:*

Версия до 3.34.0 (исключая)

EPSS

Процентиль: 43%

0.0021

Низкий

7.3 High

CVSS3

9.1 Critical

CVSS3

Дефекты

CWE-20

NVD-CWE-noinfo

Связанные уязвимости

GHSA-3qqg-pgqq-3695

CVSS3: 7.3

github

больше 2 лет назад

Gradio vulnerable to arbitrary file read and proxying of arbitrary URLs

EPSS

Процентиль: 43%

0.0021

Низкий

7.3 High

CVSS3

9.1 Critical

CVSS3

Дефекты

CWE-20

NVD-CWE-noinfo