AI Threat Alert
CVE-2023-51449
HIGHGradio is an open-source Python package that allows you to quickly build a demo or web application for your machine learning model, API, or any arbitary Python function. Versions of `gradio` prior to...
Full analysis pending. Showing NVD description excerpt.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| gradio | pip | — | No patch |
Do you use gradio? You're affected.
Severity & Risk
Recommended Action
No patch available
Monitor for updates. Consider compensating controls or temporary mitigations.
Compliance Impact
Compliance analysis pending. Sign in for full compliance mapping when available.
Technical Details
NVD Description
Gradio is an open-source Python package that allows you to quickly build a demo or web application for your machine learning model, API, or any arbitary Python function. Versions of `gradio` prior to 4.11.0 contained a vulnerability in the `/file` route which made them susceptible to file traversal attacks in which an attacker could access arbitrary files on a machine running a Gradio app with a public URL (e.g. if the demo was created with `share=True`, or on Hugging Face Spaces) if they knew the path of files to look for. This issue has been patched in version 4.11.0.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References
- github.com/gradio-app/gradio/commit/1b9d4234d6c25ef250d882c7b90e1f4039ed2d76 Patch
- github.com/gradio-app/gradio/commit/7ba8c5da45b004edd12c0460be9222f5b5f5f055 Patch
- github.com/gradio-app/gradio/security/advisories/GHSA-6qm2-wpxq-7qh2 3rd Party
- github.com/gradio-app/gradio/commit/1b9d4234d6c25ef250d882c7b90e1f4039ed2d76 Patch
- github.com/gradio-app/gradio/commit/7ba8c5da45b004edd12c0460be9222f5b5f5f055 Patch
- github.com/gradio-app/gradio/security/advisories/GHSA-6qm2-wpxq-7qh2 3rd Party