CVE-2023-34239: Gradio vulnerable to arbitrary file read and proxying of arbitrary URLs
(updated )
There are two separate security vulnerabilities here: (1) a security vulnerability that allows users to read arbitrary files on the machines that are running shared Gradio apps (2) the ability of users to use machines that are sharing Gradio apps to proxy arbitrary URLs
References
- github.com/advisories/GHSA-3qqg-pgqq-3695
- github.com/gradio-app/gradio
- github.com/gradio-app/gradio/commit/37967617bd97615fb6f3b44e7750c0e0be58479a
- github.com/gradio-app/gradio/commit/37967617bd97615fb6f3b44e7750c0e0be58479a
- github.com/gradio-app/gradio/commit/cd64130d54e678525774bbb200ef9c7166fa1543
- github.com/gradio-app/gradio/pull/4370
- github.com/gradio-app/gradio/pull/4406
- github.com/gradio-app/gradio/security/advisories/GHSA-3qqg-pgqq-3695
- github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2023-90.yaml
- nvd.nist.gov/vuln/detail/CVE-2023-34239
Code Behaviors & Features
Detect and mitigate CVE-2023-34239 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →