Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Local File Inclusion in JSON component in gradio-app/gradio
Vulnerability Description
A local file inclusion vulnerability exists in the JSON component of gradio-app/gradio version 4.25. The vulnerability arises from improper input validation in the `postprocess()` function within `gradio/components/json_component.py`, where a user-controlled string is parsed as JSON. If the parsed JSON object contains a `path` key, the specified file is moved to a temporary directory, making it possible to retrieve it later via the `/file=..` endpoint. This issue is due to the `processing_utils.move_files_to_cache()` function traversing any object passed to it, looking for a dictionary with a `path` key, and then copying the specified file to a temporary directory. The vulnerability can be exploited by an attacker to read files on the remote system, posing a significant security risk.
CVSS Information
N/A
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Vulnerability Title
Gradio 输入验证错误漏洞
Vulnerability Description
Gradio是一个开源 Python 库,是通过友好的 Web 界面演示机器学习模型的方法。 Gradio 4.25 版本存在输入验证错误漏洞,该漏洞源于 postprocess 函数中输入验证不当,其中 path 字段可以通过 ../ 遍历路径。
CVSS Information
N/A
Vulnerability Type
N/A