secure-code-warrior-for-github[bot]
commented
1 year ago Micro-Learning Topic: Hard-coded credential (Detected by phrase)
Matched on "Hard-coded Credential"
This vulnerability occurs when the keys used for performing the encryption are not secured properly. This could be because the keys are hard coded in the app and remain same throughout the application life cycle and for each version installed on different devices. The use of a hard coded cryptographic key tremendously increases the probability that encrypted data may be recovered.
Try a challenge in Secure Code Warrior
Micro-Learning Topic: Vulnerable library (Detected by phrase)
Matched on "Vulnerable Library"
Use of vulnerable components will introduce weaknesses into the application. Components with published vulnerabilities will allow easy exploitation as resources will often be available to automate the process.
Python library for easily interacting with trained machine learning models
Library home page: https://files.pythonhosted.org/packages/72/63/197bb7a284a2eebeb7b978107c47e8d63abf4152a38326034e3a435f9d7e/gradio-3.4b2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-39236
### Vulnerable Library - gradio-3.4b2-py3-none-any.whlPython library for easily interacting with trained machine learning models
Library home page: https://files.pythonhosted.org/packages/72/63/197bb7a284a2eebeb7b978107c47e8d63abf4152a38326034e3a435f9d7e/gradio-3.4b2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **gradio-3.4b2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsGradio v4.36.1 was discovered to contain a code injection vulnerability via the component /gradio/component_meta.py. This vulnerability is triggered via a crafted input.
Publish Date: 2024-07-01
URL: CVE-2024-39236
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-25823
### Vulnerable Library - gradio-3.4b2-py3-none-any.whlPython library for easily interacting with trained machine learning models
Library home page: https://files.pythonhosted.org/packages/72/63/197bb7a284a2eebeb7b978107c47e8d63abf4152a38326034e3a435f9d7e/gradio-3.4b2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **gradio-3.4b2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsGradio is an open-source Python library to build machine learning and data science demos and web applications. Versions prior to 3.13.1 contain Use of Hard-coded Credentials. When using Gradio's share links (i.e. creating a Gradio app and then setting `share=True`), a private SSH key is sent to any user that connects to the Gradio machine, which means that a user could access other users' shared Gradio demos. From there, other exploits are possible depending on the level of access/exposure the Gradio app provides. This issue is patched in version 3.13.1, however, users are recommended to update to 3.19.1 or later where the FRP solution has been properly tested.
Publish Date: 2023-02-23
URL: CVE-2023-25823
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-3x5j-9vwr-8rr5
Release Date: 2023-02-23
Fix Resolution: 3.13.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-0964
### Vulnerable Library - gradio-3.4b2-py3-none-any.whlPython library for easily interacting with trained machine learning models
Library home page: https://files.pythonhosted.org/packages/72/63/197bb7a284a2eebeb7b978107c47e8d63abf4152a38326034e3a435f9d7e/gradio-3.4b2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **gradio-3.4b2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsA local file include could be remotely triggered in Gradio due to a vulnerable user-supplied JSON value in an API request.
Publish Date: 2024-02-05
URL: CVE-2024-0964
### CVSS 3 Score Details (9.4)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2024-02-05
Fix Resolution: 4.9.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-34239
### Vulnerable Library - gradio-3.4b2-py3-none-any.whlPython library for easily interacting with trained machine learning models
Library home page: https://files.pythonhosted.org/packages/72/63/197bb7a284a2eebeb7b978107c47e8d63abf4152a38326034e3a435f9d7e/gradio-3.4b2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **gradio-3.4b2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsGradio is an open-source Python library that is used to build machine learning and data science. Due to a lack of path filtering Gradio does not properly restrict file access to users. Additionally Gradio does not properly restrict the what URLs are proxied. These issues have been addressed in version 3.34.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2023-06-08
URL: CVE-2023-34239
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/gradio-app/gradio/security/advisories/GHSA-3qqg-pgqq-3695
Release Date: 2023-06-08
Fix Resolution: 3.33.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-4325
### Vulnerable Library - gradio-3.4b2-py3-none-any.whlPython library for easily interacting with trained machine learning models
Library home page: https://files.pythonhosted.org/packages/72/63/197bb7a284a2eebeb7b978107c47e8d63abf4152a38326034e3a435f9d7e/gradio-3.4b2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **gradio-3.4b2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsA Server-Side Request Forgery (SSRF) vulnerability exists in the gradio-app/gradio version 4.21.0, specifically within the `/queue/join` endpoint and the `save_url_to_cache` function. The vulnerability arises when the `path` value, obtained from the user and expected to be a URL, is used to make an HTTP request without sufficient validation checks. This flaw allows an attacker to send crafted requests that could lead to unauthorized access to the local network or the AWS metadata endpoint, thereby compromising the security of internal servers.
Publish Date: 2024-06-06
URL: CVE-2024-4325
### CVSS 3 Score Details (8.6)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-4325
Release Date: 2024-06-06
Fix Resolution: 4.23.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-1540
### Vulnerable Library - gradio-3.4b2-py3-none-any.whlPython library for easily interacting with trained machine learning models
Library home page: https://files.pythonhosted.org/packages/72/63/197bb7a284a2eebeb7b978107c47e8d63abf4152a38326034e3a435f9d7e/gradio-3.4b2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **gradio-3.4b2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsA command injection vulnerability exists in the deploy+test-visual.yml workflow of the gradio-app/gradio repository, due to improper neutralization of special elements used in a command. This vulnerability allows attackers to execute unauthorized commands, potentially leading to unauthorized modification of the base repository or secrets exfiltration. The issue arises from the unsafe handling of GitHub context information within a `run` operation, where expressions inside `${{ }}` are evaluated and substituted before script execution. Remediation involves setting untrusted input values to intermediate environment variables to prevent direct influence on script generation.
Publish Date: 2024-03-27
URL: CVE-2024-1540
### CVSS 3 Score Details (8.6)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-1540
Release Date: 2024-03-27
Fix Resolution: 4.18.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-4941
### Vulnerable Library - gradio-3.4b2-py3-none-any.whlPython library for easily interacting with trained machine learning models
Library home page: https://files.pythonhosted.org/packages/72/63/197bb7a284a2eebeb7b978107c47e8d63abf4152a38326034e3a435f9d7e/gradio-3.4b2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **gradio-3.4b2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsA local file inclusion vulnerability exists in the JSON component of gradio-app/gradio version 4.25. The vulnerability arises from improper input validation in the `postprocess()` function within `gradio/components/json_component.py`, where a user-controlled string is parsed as JSON. If the parsed JSON object contains a `path` key, the specified file is moved to a temporary directory, making it possible to retrieve it later via the `/file=..` endpoint. This issue is due to the `processing_utils.move_files_to_cache()` function traversing any object passed to it, looking for a dictionary with a `path` key, and then copying the specified file to a temporary directory. The vulnerability can be exploited by an attacker to read files on the remote system, posing a significant security risk.
Publish Date: 2024-06-06
URL: CVE-2024-4941
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-4941
Release Date: 2024-06-06
Fix Resolution: 4.23.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-34510
### Vulnerable Library - gradio-3.4b2-py3-none-any.whlPython library for easily interacting with trained machine learning models
Library home page: https://files.pythonhosted.org/packages/72/63/197bb7a284a2eebeb7b978107c47e8d63abf4152a38326034e3a435f9d7e/gradio-3.4b2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **gradio-3.4b2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsGradio before 4.20 allows credential leakage on Windows.
Publish Date: 2024-05-05
URL: CVE-2024-34510
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2024-05-05
Fix Resolution: 4.20.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-1728
### Vulnerable Library - gradio-3.4b2-py3-none-any.whlPython library for easily interacting with trained machine learning models
Library home page: https://files.pythonhosted.org/packages/72/63/197bb7a284a2eebeb7b978107c47e8d63abf4152a38326034e3a435f9d7e/gradio-3.4b2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **gradio-3.4b2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability Detailsgradio-app/gradio is vulnerable to a local file inclusion vulnerability due to improper validation of user-supplied input in the UploadButton component. Attackers can exploit this vulnerability to read arbitrary files on the filesystem, such as private SSH keys, by manipulating the file path in the request to the `/queue/join` endpoint. This issue could potentially lead to remote code execution. The vulnerability is present in the handling of file upload paths, allowing attackers to redirect file uploads to unintended locations on the server.
Publish Date: 2024-04-10
URL: CVE-2024-1728
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-1728
Release Date: 2024-04-10
Fix Resolution: 4.19.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-1561
### Vulnerable Library - gradio-3.4b2-py3-none-any.whlPython library for easily interacting with trained machine learning models
Library home page: https://files.pythonhosted.org/packages/72/63/197bb7a284a2eebeb7b978107c47e8d63abf4152a38326034e3a435f9d7e/gradio-3.4b2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **gradio-3.4b2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsAn issue was discovered in gradio-app/gradio, where the `/component_server` endpoint improperly allows the invocation of any method on a `Component` class with attacker-controlled arguments. Specifically, by exploiting the `move_resource_to_block_cache()` method of the `Block` class, an attacker can copy any file on the filesystem to a temporary directory and subsequently retrieve it. This vulnerability enables unauthorized local file read access, posing a significant risk especially when the application is exposed to the internet via `launch(share=True)`, thereby allowing remote attackers to read files on the host machine. Furthermore, gradio apps hosted on `huggingface.co` are also affected, potentially leading to the exposure of sensitive information such as API keys and credentials stored in environment variables.
Publish Date: 2024-04-16
URL: CVE-2024-1561
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-1561
Release Date: 2024-04-16
Fix Resolution: 4.13.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-51449
### Vulnerable Library - gradio-3.4b2-py3-none-any.whlPython library for easily interacting with trained machine learning models
Library home page: https://files.pythonhosted.org/packages/72/63/197bb7a284a2eebeb7b978107c47e8d63abf4152a38326034e3a435f9d7e/gradio-3.4b2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **gradio-3.4b2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsGradio is an open-source Python package that allows you to quickly build a demo or web application for your machine learning model, API, or any arbitary Python function. Versions of `gradio` prior to 4.11.0 contained a vulnerability in the `/file` route which made them susceptible to file traversal attacks in which an attacker could access arbitrary files on a machine running a Gradio app with a public URL (e.g. if the demo was created with `share=True`, or on Hugging Face Spaces) if they knew the path of files to look for. This issue has been patched in version 4.11.0.
Publish Date: 2023-12-22
URL: CVE-2023-51449
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-51449
Release Date: 2023-12-22
Fix Resolution: 4.11.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-2206
### Vulnerable Library - gradio-3.4b2-py3-none-any.whlPython library for easily interacting with trained machine learning models
Library home page: https://files.pythonhosted.org/packages/72/63/197bb7a284a2eebeb7b978107c47e8d63abf4152a38326034e3a435f9d7e/gradio-3.4b2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **gradio-3.4b2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsAn SSRF vulnerability exists in the gradio-app/gradio due to insufficient validation of user-supplied URLs in the `/proxy` route. Attackers can exploit this vulnerability by manipulating the `self.replica_urls` set through the `X-Direct-Url` header in requests to the `/` and `/config` routes, allowing the addition of arbitrary URLs for proxying. This flaw enables unauthorized proxying of requests and potential access to internal endpoints within the Hugging Face space. The issue arises from the application's inadequate checking of safe URLs in the `build_proxy_request` function.
Publish Date: 2024-03-27
URL: CVE-2024-2206
### CVSS 3 Score Details (7.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-2206
Release Date: 2024-03-27
Fix Resolution: 4.18.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-34511
### Vulnerable Library - gradio-3.4b2-py3-none-any.whlPython library for easily interacting with trained machine learning models
Library home page: https://files.pythonhosted.org/packages/72/63/197bb7a284a2eebeb7b978107c47e8d63abf4152a38326034e3a435f9d7e/gradio-3.4b2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **gradio-3.4b2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsComponent Server in Gradio before 4.13 does not properly consider _is_server_fn for functions.
Publish Date: 2024-05-05
URL: CVE-2024-34511
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-34511
Release Date: 2024-05-05
Fix Resolution: 4.13.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-1183
### Vulnerable Library - gradio-3.4b2-py3-none-any.whlPython library for easily interacting with trained machine learning models
Library home page: https://files.pythonhosted.org/packages/72/63/197bb7a284a2eebeb7b978107c47e8d63abf4152a38326034e3a435f9d7e/gradio-3.4b2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **gradio-3.4b2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsAn SSRF (Server-Side Request Forgery) vulnerability exists in the gradio-app/gradio repository, allowing attackers to scan and identify open ports within an internal network. By manipulating the 'file' parameter in a GET request, an attacker can discern the status of internal ports based on the presence of a 'Location' header or a 'File not allowed' error in the response.
Publish Date: 2024-04-16
URL: CVE-2024-1183
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-1183
Release Date: 2024-04-16
Fix Resolution: 4.11.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-1729
### Vulnerable Library - gradio-3.4b2-py3-none-any.whlPython library for easily interacting with trained machine learning models
Library home page: https://files.pythonhosted.org/packages/72/63/197bb7a284a2eebeb7b978107c47e8d63abf4152a38326034e3a435f9d7e/gradio-3.4b2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **gradio-3.4b2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsA timing attack vulnerability exists in the gradio-app/gradio repository, specifically within the login function in routes.py. The vulnerability arises from the use of a direct comparison operation (`app.auth[username] == password`) to validate user credentials, which can be exploited to guess passwords based on response times. Successful exploitation of this vulnerability could allow an attacker to bypass authentication mechanisms and gain unauthorized access.
Publish Date: 2024-03-29
URL: CVE-2024-1729
### CVSS 3 Score Details (5.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-hmx6-r76c-85g9
Release Date: 2024-03-29
Fix Resolution: 4.19.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-4940
### Vulnerable Library - gradio-3.4b2-py3-none-any.whlPython library for easily interacting with trained machine learning models
Library home page: https://files.pythonhosted.org/packages/72/63/197bb7a284a2eebeb7b978107c47e8d63abf4152a38326034e3a435f9d7e/gradio-3.4b2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **gradio-3.4b2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsAn open redirect vulnerability exists in the gradio-app/gradio, affecting the latest version. The vulnerability allows an attacker to redirect users to arbitrary websites, which can be exploited for phishing attacks, Cross-site Scripting (XSS), Server-Side Request Forgery (SSRF), amongst others. This issue is due to improper validation of user-supplied input in the handling of URLs. Attackers can exploit this vulnerability by crafting a malicious URL that, when processed by the application, redirects the user to an attacker-controlled web page.
Publish Date: 2024-06-22
URL: CVE-2024-4940
### CVSS 3 Score Details (5.4)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-1727
### Vulnerable Library - gradio-3.4b2-py3-none-any.whlPython library for easily interacting with trained machine learning models
Library home page: https://files.pythonhosted.org/packages/72/63/197bb7a284a2eebeb7b978107c47e8d63abf4152a38326034e3a435f9d7e/gradio-3.4b2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **gradio-3.4b2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsA Cross-Site Request Forgery (CSRF) vulnerability in gradio-app/gradio allows attackers to upload multiple large files to a victim's system if they are running Gradio locally. By crafting a malicious HTML page that triggers an unauthorized file upload to the victim's server, an attacker can deplete the system's disk space, potentially leading to a denial of service. This issue affects the file upload functionality as implemented in gradio/routes.py.
Publish Date: 2024-03-21
URL: CVE-2024-1727
### CVSS 3 Score Details (4.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-1727
Release Date: 2024-03-21
Fix Resolution: 4.19.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)