Description

In gradio <=4.42.0, the gr.DownloadButton function has a hidden server-side request forgery (SSRF) vulnerability. The reason is that within the save_url_to_cache function, there are no restrictions on the URL, which allows access to local target resources. This can lead to the download of local resources and sensitive information.

INFO

Published Date :

2024-11-04T00:00:00.000Z

Last Modified :

2024-11-06T19:21:09.673Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2024-48052 vulnerability.

Vendors Products
Gradio Project
  • Gradio
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-48052.

URL Resource
https://gist.github.com/AfterSnows/45ffc23797f9127e00755376cc610e12 cve-icon cve-icon
https://rumbling-slice-eb0.notion.site/FULL-SSRF-in-gr-DownloadButton-in-gradio-app-gradio-870b21e0908b48cbafd914719ac1a4e6?pvs=4 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact