Lookup for vulnerabilities affecting packages.
| Vulnerability_id | VCID-fcry-haph-rkgh |
|---|
| Summary | Duplicate Advisory: Gradio Local File Inclusion vulnerability
## Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-m842-4qm8-7gpq. This link is maintained to preserve external references.
## Original Description
gradio-app/gradio is vulnerable to a local file inclusion vulnerability due to improper validation of user-supplied input in the UploadButton component. Attackers can exploit this vulnerability to read arbitrary files on the filesystem, such as private SSH keys, by manipulating the file path in the request to the `/queue/join` endpoint. This issue could potentially lead to remote code execution. The vulnerability is present in the handling of file upload paths, allowing attackers to redirect file uploads to unintended locations on the server. |
|---|
| Aliases |
| 0 |
| alias |
GHSA-3f95-mxq2-2f63 |
|
|
|---|
| Fixed_packages |
| 0 |
| url |
pkg:pypi/gradio@4.19.2 |
| purl |
pkg:pypi/gradio@4.19.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-135r-znhp-5yge |
|
| 1 |
| vulnerability |
VCID-17vf-h543-33ch |
|
| 2 |
| vulnerability |
VCID-77wy-te8b-9qgc |
|
| 3 |
| vulnerability |
VCID-7my4-fvg8-kqhw |
|
| 4 |
| vulnerability |
VCID-7qyj-s1nm-ekay |
|
| 5 |
| vulnerability |
VCID-a3xu-7cqy-gyhd |
|
| 6 |
| vulnerability |
VCID-cbe3-n9tq-6yas |
|
| 7 |
| vulnerability |
VCID-dugv-7fyw-dke5 |
|
| 8 |
| vulnerability |
VCID-ec3r-7thk-mbhr |
|
| 9 |
| vulnerability |
VCID-gs22-farz-afdd |
|
| 10 |
| vulnerability |
VCID-gyvv-u98g-6keb |
|
| 11 |
| vulnerability |
VCID-hhx7-n4cb-qbcc |
|
| 12 |
| vulnerability |
VCID-kt73-gz4z-6faf |
|
| 13 |
| vulnerability |
VCID-rdck-p2jh-cfbz |
|
| 14 |
| vulnerability |
VCID-reuv-7se1-pubz |
|
| 15 |
| vulnerability |
VCID-ry9e-qctr-7fbe |
|
| 16 |
| vulnerability |
VCID-vad2-ydnk-nkgs |
|
| 17 |
| vulnerability |
VCID-w8ua-mp21-v3cv |
|
| 18 |
| vulnerability |
VCID-zycs-zpma-xqey |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.19.2 |
|
|
|---|
| Affected_packages |
|
|---|
| References |
|
|---|
| Weaknesses |
| 0 |
| cwe_id |
22 |
| name |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| description |
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
|
| 1 |
| cwe_id |
937 |
| name |
OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities |
| description |
Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013. |
|
| 2 |
| cwe_id |
1035 |
| name |
OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities |
| description |
Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017. |
|
|
|---|
| Exploits |
|
|---|
| Severity_range_score | 7.0 - 8.9 |
|---|
| Exploitability | null |
|---|
| Weighted_severity | null |
|---|
| Risk_score | null |
|---|
| Resource_url | http://public2.vulnerablecode.io/vulnerabilities/VCID-fcry-haph-rkgh |
|---|