Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Secrets Exfiltration in gradio-app/gradio
Vulnerability Description
The 'deploy-website.yml' workflow in the gradio-app/gradio repository, specifically in the 'main' branch, is vulnerable to secrets exfiltration due to improper authorization. The vulnerability arises from the workflow's explicit checkout and execution of code from a fork, which is unsafe as it allows the running of untrusted code in an environment with access to push to the base repository and access secrets. This flaw could lead to the exfiltration of sensitive secrets such as GITHUB_TOKEN, HF_TOKEN, VERCEL_ORG_ID, VERCEL_PROJECT_ID, COMMENT_TOKEN, AWSACCESSKEYID, AWSSECRETKEY, and VERCEL_TOKEN. The vulnerability is present in the workflow file located at https://github.com/gradio-app/gradio/blob/72f4ca88ab569aae47941b3fb0609e57f2e13a27/.github/workflows/deploy-website.yml.
CVSS Information
N/A
Vulnerability Type
通过处理环境导致的信息暴露
Vulnerability Title
Gradio 授权问题漏洞
Vulnerability Description
Gradio是一个开源 Python 库,是通过友好的 Web 界面演示机器学习模型的方法。 Gradio存在授权问题漏洞,该漏洞源于授权不当,允许从分支main中的fork显式检出和执行代码,可能导致敏感信息泄露。
CVSS Information
N/A
Vulnerability Type
N/A