Описание
Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, the _redirect_to_target() function in Gradio's OAuth flow accepts an unvalidated _target_url query parameter, allowing redirection to arbitrary external URLs. This affects the /logout and /login/callback endpoints on Gradio apps with OAuth enabled (i.e. apps running on Hugging Face Spaces with gr.LoginButton). Starting in version 6.6.0, the _target_url parameter is sanitized to only use the path, query, and fragment, stripping any scheme or host.
A flaw was found in Gradio, an open-source Python package. The _redirect_to_target() function in Gradio's OAuth flow accepts an unvalidated _target_url query parameter. A remote attacker can exploit this vulnerability by crafting a malicious URL, leading to an open redirect. This allows the attacker to redirect users to arbitrary external websites, potentially enabling phishing attacks or other forms of user manipulation.
Отчет
This MODERATE impact vulnerability in Gradio's OAuth flow allows for open redirection due to an unvalidated _target_url query parameter. Red Hat products utilizing Gradio with OAuth enabled, such as the ansible-chatbot-service, may be affected if running vulnerable versions. Exploitation requires user interaction with the /logout or /login/callback endpoints.
Меры по смягчению последствий
To mitigate this open redirect vulnerability, restrict network access to the Gradio application's /logout and /login/callback endpoints, particularly if OAuth is enabled. Ensure these endpoints are not directly exposed to untrusted networks or users. If the OAuth functionality is not required for the specific deployment of the Gradio application, consider disabling it to remove the vulnerable attack surface. Consult application documentation for specific configuration details regarding OAuth and endpoint exposure. A service restart or reload may be required for changes to take effect.
Дополнительная информация
Статус:
4.3 Medium
CVSS3
Связанные уязвимости
Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, the _redirect_to_target() function in Gradio's OAuth flow accepts an unvalidated _target_url query parameter, allowing redirection to arbitrary external URLs. This affects the /logout and /login/callback endpoints on Gradio apps with OAuth enabled (i.e. apps running on Hugging Face Spaces with gr.LoginButton). Starting in version 6.6.0, the _target_url parameter is sanitized to only use the path, query, and fragment, stripping any scheme or host.
4.3 Medium
CVSS3