In gradio <=4.42.0, the gr.DownloadButton function has a hidden server-side request forgery (SSRF) vulnerability. The reason is that within the save_url_to_cache function, there are no restrictions on the URL, which allows access to local target resources. This can lead to the download of local resources and sensitive information.
Metrics
Affected Vendors & Products
References
History
Wed, 06 Nov 2024 20:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Gradio Project
Gradio Project gradio |
|
Weaknesses | CWE-918 | |
CPEs | cpe:2.3:a:gradio_project:gradio:*:*:*:*:*:*:*:* | |
Vendors & Products |
Gradio Project
Gradio Project gradio |
|
Metrics |
cvssV3_1
|
Mon, 04 Nov 2024 22:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | In gradio <=4.42.0, the gr.DownloadButton function has a hidden server-side request forgery (SSRF) vulnerability. The reason is that within the save_url_to_cache function, there are no restrictions on the URL, which allows access to local target resources. This can lead to the download of local resources and sensitive information. | |
References |
|
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2024-11-04T00:00:00
Updated: 2024-11-06T19:21:09.673Z
Reserved: 2024-10-08T00:00:00
Link: CVE-2024-48052
Vulnrichment
Updated: 2024-11-06T19:21:04.806Z
NVD
Status : Awaiting Analysis
Published: 2024-11-04T23:15:04.337
Modified: 2024-11-06T20:35:29.830
Link: CVE-2024-48052
Redhat
No data.