Gradio
by Gradio App
Source repositories
CVEs (48)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-4253 | 0.00 | — | 0.02 | Jun 4, 2024 | A command injection vulnerability exists in the gradio-app/gradio repository, specifically within the 'test-functional.yml' workflow. The vulnerability arises due to improper neutralization of special elements used in a command, allowing for unauthorized modification of the base… | |||
| CVE-2024-1561 | 0.00 | — | 0.09 | Apr 16, 2024 | An issue was discovered in gradio-app/gradio, where the `/component_server` endpoint improperly allows the invocation of any method on a `Component` class with attacker-controlled arguments. Specifically, by exploiting the `move_resource_to_block_cache()` method of the `Block`… | |||
| CVE-2024-1183 | 0.00 | — | 0.02 | Apr 16, 2024 | An SSRF (Server-Side Request Forgery) vulnerability exists in the gradio-app/gradio repository, allowing attackers to scan and identify open ports within an internal network. By manipulating the 'file' parameter in a GET request, an attacker can discern the status of internal… | |||
| CVE-2024-1728 | 0.00 | — | 0.85 | Apr 10, 2024 | gradio-app/gradio is vulnerable to a local file inclusion vulnerability due to improper validation of user-supplied input in the UploadButton component. Attackers can exploit this vulnerability to read arbitrary files on the filesystem, such as private SSH keys, by manipulating… | |||
| CVE-2024-1729 | 0.00 | — | 0.01 | Mar 29, 2024 | A timing attack vulnerability exists in the gradio-app/gradio repository, specifically within the login function in routes.py. The vulnerability arises from the use of a direct comparison operation (`app.auth[username] == password`) to validate user credentials, which can be… | |||
| CVE-2024-1540 | 0.00 | — | 0.02 | Mar 27, 2024 | A command injection vulnerability exists in the deploy+test-visual.yml workflow of the gradio-app/gradio repository, due to improper neutralization of special elements used in a command. This vulnerability allows attackers to execute unauthorized commands, potentially leading to… | |||
| CVE-2024-2206 | 0.00 | — | 0.00 | Mar 27, 2024 | An SSRF vulnerability exists in the gradio-app/gradio due to insufficient validation of user-supplied URLs in the `/proxy` route. Attackers can exploit this vulnerability by manipulating the `self.replica_urls` set through the `X-Direct-Url` header in requests to the `/` and… | |||
| CVE-2024-1727 | 0.00 | — | 0.00 | Mar 21, 2024 | A Cross-Site Request Forgery (CSRF) vulnerability in gradio-app/gradio allows attackers to upload multiple large files to a victim's system if they are running Gradio locally. By crafting a malicious HTML page that triggers an unauthorized file upload to the victim's server, an… |
- CVE-2024-4253Jun 4, 2024risk 0.00cvss —epss 0.02
A command injection vulnerability exists in the gradio-app/gradio repository, specifically within the 'test-functional.yml' workflow. The vulnerability arises due to improper neutralization of special elements used in a command, allowing for unauthorized modification of the base…
- CVE-2024-1561Apr 16, 2024risk 0.00cvss —epss 0.09
An issue was discovered in gradio-app/gradio, where the `/component_server` endpoint improperly allows the invocation of any method on a `Component` class with attacker-controlled arguments. Specifically, by exploiting the `move_resource_to_block_cache()` method of the `Block`…
- CVE-2024-1183Apr 16, 2024risk 0.00cvss —epss 0.02
An SSRF (Server-Side Request Forgery) vulnerability exists in the gradio-app/gradio repository, allowing attackers to scan and identify open ports within an internal network. By manipulating the 'file' parameter in a GET request, an attacker can discern the status of internal…
- CVE-2024-1728Apr 10, 2024risk 0.00cvss —epss 0.85
gradio-app/gradio is vulnerable to a local file inclusion vulnerability due to improper validation of user-supplied input in the UploadButton component. Attackers can exploit this vulnerability to read arbitrary files on the filesystem, such as private SSH keys, by manipulating…
- CVE-2024-1729Mar 29, 2024risk 0.00cvss —epss 0.01
A timing attack vulnerability exists in the gradio-app/gradio repository, specifically within the login function in routes.py. The vulnerability arises from the use of a direct comparison operation (`app.auth[username] == password`) to validate user credentials, which can be…
- CVE-2024-1540Mar 27, 2024risk 0.00cvss —epss 0.02
A command injection vulnerability exists in the deploy+test-visual.yml workflow of the gradio-app/gradio repository, due to improper neutralization of special elements used in a command. This vulnerability allows attackers to execute unauthorized commands, potentially leading to…
- CVE-2024-2206Mar 27, 2024risk 0.00cvss —epss 0.00
An SSRF vulnerability exists in the gradio-app/gradio due to insufficient validation of user-supplied URLs in the `/proxy` route. Attackers can exploit this vulnerability by manipulating the `self.replica_urls` set through the `X-Direct-Url` header in requests to the `/` and…
- CVE-2024-1727Mar 21, 2024risk 0.00cvss —epss 0.00
A Cross-Site Request Forgery (CSRF) vulnerability in gradio-app/gradio allows attackers to upload multiple large files to a victim's system if they are running Gradio locally. By crafting a malicious HTML page that triggers an unauthorized file upload to the victim's server, an…
Page 3 of 3