Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2023-51449
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Make the `/file` secure against file traversal attacks
Source: NVD (National Vulnerability Database)
Vulnerability Description
Gradio is an open-source Python package that allows you to quickly build a demo or web application for your machine learning model, API, or any arbitary Python function. Versions of `gradio` prior to 4.11.0 contained a vulnerability in the `/file` route which made them susceptible to file traversal attacks in which an attacker could access arbitrary files on a machine running a Gradio app with a public URL (e.g. if the demo was created with `share=True`, or on Hugging Face Spaces) if they knew the path of files to look for. This issue has been patched in version 4.11.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Gradio 路径遍历漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Gradio是一个开源 Python 库,是通过友好的 Web 界面演示机器学习模型的方法。 Gradio 4.11.0之前版本存在路径遍历漏洞,该漏洞源于/file存在路径遍历漏洞。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
VendorProductAffected VersionsCPESubscribe
gradio-appgradio < 4.11.0 -
II. Public POCs for CVE-2023-51449
#POC DescriptionSource LinkShenlong Link
1Gradio LFI when auth is not enabled, affects versions 4.0 - 4.10, also works against Gradio < 3.33 https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-51449.yamlPOC Details
2https://github.com/vulhub/vulhub/blob/master/gradio/CVE-2023-51449/README.mdPOC Details
3Nonehttps://github.com/Threekiii/Awesome-POC/blob/master/%E5%BC%80%E5%8F%91%E8%AF%AD%E8%A8%80%E6%BC%8F%E6%B4%9E/Python%20Gradio%20%E7%9B%AE%E5%BD%95%E7%A9%BF%E8%B6%8A%E6%BC%8F%E6%B4%9E%20CVE-2023-51449.mdPOC Details
AI-Generated POCPremium

No public POC found.

Login to generate AI POC
III. Intelligence Information for CVE-2023-51449
Please Login to view more intelligence information
IV. Related Vulnerabilities
Same product: gradio
Same vendor: gradio-app
Same weakness: CWE-22
V. Comments for CVE-2023-51449

No comments yet

Leave a comment