Plattform
python
Komponente
gradio
Behoben in
4.19.2
4.19.2
CVE-2024-1728 describes an Arbitrary File Access vulnerability within Gradio, a Python library for building user interfaces for machine learning models. This vulnerability allows malicious actors to access files on the server hosting Gradio applications that are exposed via public links, such as those deployed on Hugging Face Spaces. The vulnerability impacts Gradio versions 4.9.1 and earlier, and a patch is available in version 4.19.2 or higher.
The primary impact of CVE-2024-1728 is unauthorized access to files residing on the server hosting the Gradio application. Attackers can exploit this vulnerability by manipulating network requests, effectively bypassing intended access controls. The scope of accessible files depends on the server's configuration and permissions, potentially exposing sensitive data such as configuration files, source code, or even user data. While there's no current evidence of active exploitation, the public nature of Gradio deployments on platforms like Hugging Face Spaces increases the attack surface and potential for widespread compromise.
CVE-2024-1728 was publicly disclosed on September 25, 2024. While no active exploitation campaigns have been reported, the vulnerability's ease of exploitation and the widespread use of Gradio on platforms like Hugging Face Spaces warrant careful attention. The vulnerability is not currently listed on CISA's KEV catalog. Public proof-of-concept exploits are likely to emerge given the vulnerability's nature and the public disclosure.
Organizations and individuals deploying Gradio applications with public links, particularly those hosted on platforms like Hugging Face Spaces, are at risk. This includes machine learning engineers, data scientists, and developers who rely on Gradio for building and sharing interactive model demos. Legacy Gradio deployments and those with overly permissive file system permissions are particularly vulnerable.
• python / gradio: Monitor Gradio application logs for unusual file access attempts.
import logging
logging.basicConfig(filename='gradio_app.log', level=logging.INFO)
# ... your Gradio app code ...• generic web: Inspect access logs for requests targeting unusual file paths within the Gradio application directory.
• generic web: Check response headers for unexpected file content types or sizes.
• generic web: Use curl to attempt accessing files outside the intended application directory (e.g., /../../etc/passwd).
curl 'http://your-gradio-app.com/../../etc/passwd'disclosure
Exploit-Status
EPSS
87.95% (99% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation for CVE-2024-1728 is to immediately upgrade Gradio to version 4.19.2 or higher. This version includes a fix that addresses the underlying vulnerability. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing stricter network security controls around the Gradio application. This could involve using a Web Application Firewall (WAF) to filter malicious requests or implementing proxy servers to inspect and sanitize traffic. Thoroughly review and restrict file access permissions on the server hosting the Gradio application to limit the potential damage from a successful exploit. After upgrading, confirm the fix by attempting to access files outside of the intended application scope via network requests.
Actualice la biblioteca gradio a la versión 4.19.2 o superior. Esto corregirá la vulnerabilidad de inclusión de archivos locales. Puede actualizar usando `pip install --upgrade gradio`.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-1728 is a HIGH severity vulnerability allowing attackers to access files on the server hosting Gradio applications with public links. It affects versions ≤4.9.1.
Yes, if you are using Gradio version 4.9.1 or earlier and your application is accessible via a public link, you are potentially affected.
Upgrade Gradio to version 4.19.2 or higher to patch the vulnerability. Consider network restrictions and WAF rules as temporary mitigations.
There is currently no confirmed active exploitation, but the ease of exploitation suggests a high likelihood of future attacks.
Refer to the Gradio GitHub repository for the official advisory and patch details: https://github.com/gradio-app/gradio/commit/16fbe9cd0cffa9f2a824a01
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.