CVE-2024-1561

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-1561

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-1561.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-1561

Aliases

GHSA-g9cj-cfpp-4g2x

Published

2024-04-16T00:15:08Z

Modified

2024-10-12T11:16:27.232270Z

Summary

[none]

Details

An issue was discovered in gradio-app/gradio, where the /component_server endpoint improperly allows the invocation of any method on a Component class with attacker-controlled arguments. Specifically, by exploiting the move_resource_to_block_cache() method of the Block class, an attacker can copy any file on the filesystem to a temporary directory and subsequently retrieve it. This vulnerability enables unauthorized local file read access, posing a significant risk especially when the application is exposed to the internet via launch(share=True), thereby allowing remote attackers to read files on the host machine. Furthermore, gradio apps hosted on huggingface.co are also affected, potentially leading to the exposure of sensitive information such as API keys and credentials stored in environment variables.

References

Affected packages

Git / github.com/gradio-app/gradio

Affected ranges

Type: GIT
Repo: https://github.com/gradio-app/gradio
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

24a583688046867ca8b8b02959c441818bdb34a2

Affected versions

@gradio/atoms@0.*

@gradio/atoms@0.2.0

@gradio/atoms@0.2.0-beta.6

@gradio/atoms@0.2.1

@gradio/atoms@0.2.2

@gradio/atoms@0.3.0

@gradio/atoms@0.3.1

@gradio/atoms@0.4.0

@gradio/atoms@0.4.1

@gradio/audio@0.*

@gradio/audio@0.4.0

@gradio/audio@0.4.0-beta.9

@gradio/audio@0.4.1

@gradio/audio@0.4.2

@gradio/audio@0.4.3

@gradio/audio@0.5.0

@gradio/audio@0.5.1

@gradio/audio@0.5.2

@gradio/audio@0.5.3

@gradio/audio@0.5.4

@gradio/audio@0.5.5

@gradio/audio@0.6.0

@gradio/audio@0.6.1

@gradio/audio@0.6.2

@gradio/audio@0.6.3

@gradio/audio@0.6.4

@gradio/box@0.*

@gradio/box@0.1.0

@gradio/box@0.1.0-beta.7

@gradio/box@0.1.1

@gradio/box@0.1.2

@gradio/box@0.1.3

@gradio/box@0.1.4

@gradio/box@0.1.5

@gradio/box@0.1.6

@gradio/button@0.*

@gradio/button@0.2.0

@gradio/button@0.2.0-beta.7

@gradio/button@0.2.1

@gradio/button@0.2.10

@gradio/button@0.2.11

@gradio/button@0.2.12

@gradio/button@0.2.13

@gradio/button@0.2.14

@gradio/button@0.2.2

@gradio/button@0.2.3

@gradio/button@0.2.4

@gradio/button@0.2.5

@gradio/button@0.2.6

@gradio/button@0.2.7

@gradio/button@0.2.8

@gradio/button@0.2.9

@gradio/chatbot@0.*

@gradio/chatbot@0.4.0

@gradio/chatbot@0.4.0-beta.9

@gradio/chatbot@0.4.1

@gradio/chatbot@0.4.2

@gradio/chatbot@0.4.3

@gradio/chatbot@0.4.4

@gradio/chatbot@0.4.5

@gradio/chatbot@0.4.6

@gradio/chatbot@0.4.7

@gradio/chatbot@0.4.8

@gradio/chatbot@0.5.0

@gradio/chatbot@0.5.1

@gradio/chatbot@0.5.2

@gradio/chatbot@0.5.3

@gradio/chatbot@0.5.4

@gradio/chatbot@0.5.5

@gradio/chatbot@0.5.6

@gradio/checkbox@0.*

@gradio/checkbox@0.2.0

@gradio/checkbox@0.2.0-beta.8

@gradio/checkbox@0.2.1

@gradio/checkbox@0.2.2

@gradio/checkbox@0.2.3

@gradio/checkbox@0.2.4

@gradio/checkbox@0.2.5

@gradio/checkbox@0.2.6

@gradio/checkboxgroup@0.*

@gradio/checkboxgroup@0.3.0

@gradio/checkboxgroup@0.3.0-beta.8

@gradio/checkboxgroup@0.3.1

@gradio/checkboxgroup@0.3.2

@gradio/checkboxgroup@0.3.3

@gradio/checkboxgroup@0.3.4

@gradio/checkboxgroup@0.3.5

@gradio/checkboxgroup@0.3.6

@gradio/checkboxgroup@0.3.7

@gradio/client@0.*

@gradio/client@0.2.1

@gradio/client@0.3.0

@gradio/client@0.3.1

@gradio/client@0.4.0

@gradio/client@0.4.1

@gradio/client@0.4.2

@gradio/client@0.5.0

@gradio/client@0.5.1

@gradio/client@0.5.2

@gradio/client@0.6.0

@gradio/client@0.7.0

@gradio/client@0.7.0-beta.1

@gradio/client@0.7.1

@gradio/client@0.7.2

@gradio/client@0.8.0

@gradio/client@0.8.1

@gradio/client@0.8.2

@gradio/client@0.9.0

@gradio/client@0.9.1

@gradio/client@0.9.2

@gradio/client@0.9.3

@gradio/client@0.9.4

@gradio/code@0.*

@gradio/code@0.2.0

@gradio/code@0.2.0-beta.8

@gradio/code@0.2.1

@gradio/code@0.2.2

@gradio/code@0.2.3

@gradio/code@0.2.4

@gradio/code@0.2.5

@gradio/code@0.2.6

@gradio/code@0.2.7

@gradio/code@0.2.8

@gradio/code@0.2.9

@gradio/code@0.3.0

@gradio/code@0.3.1

@gradio/code@0.3.2

@gradio/code@0.3.3

@gradio/code@0.3.4

@gradio/colorpicker@0.*

@gradio/colorpicker@0.2.0

@gradio/colorpicker@0.2.0-beta.8

@gradio/colorpicker@0.2.1

@gradio/colorpicker@0.2.2

@gradio/colorpicker@0.2.3

@gradio/colorpicker@0.2.4

@gradio/colorpicker@0.2.5

@gradio/colorpicker@0.2.6

@gradio/column@0.*

@gradio/column@0.1.0

@gradio/column@0.1.0-beta.3

@gradio/dataframe@0.*

@gradio/dataframe@0.3.0

@gradio/dataframe@0.3.0-beta.8

@gradio/dataframe@0.3.1

@gradio/dataframe@0.3.10

@gradio/dataframe@0.3.11

@gradio/dataframe@0.3.2

@gradio/dataframe@0.3.3

@gradio/dataframe@0.3.4

@gradio/dataframe@0.3.5

@gradio/dataframe@0.3.6

@gradio/dataframe@0.3.7

@gradio/dataframe@0.3.8

@gradio/dataframe@0.3.9

@gradio/dataframe@0.4.0

@gradio/dataframe@0.4.1

@gradio/dataframe@0.4.2

@gradio/dataframe@0.4.3

@gradio/dataframe@0.4.4

@gradio/dataset@0.*

@gradio/dataset@0.1.0

@gradio/dataset@0.1.0-beta.2

@gradio/dataset@0.1.1

@gradio/dataset@0.1.10

@gradio/dataset@0.1.11

@gradio/dataset@0.1.12

@gradio/dataset@0.1.13

@gradio/dataset@0.1.14

@gradio/dataset@0.1.2

@gradio/dataset@0.1.3

@gradio/dataset@0.1.4

@gradio/dataset@0.1.5

@gradio/dataset@0.1.6

@gradio/dataset@0.1.7

@gradio/dataset@0.1.8

@gradio/dataset@0.1.9

@gradio/dropdown@0.*

@gradio/dropdown@0.3.0

@gradio/dropdown@0.3.0-beta.8

@gradio/dropdown@0.3.1

@gradio/dropdown@0.3.2

@gradio/dropdown@0.3.3

@gradio/dropdown@0.4.0

@gradio/dropdown@0.4.1

@gradio/dropdown@0.4.2

@gradio/dropdown@0.4.3

@gradio/fallback@0.*

@gradio/fallback@0.2.0

@gradio/fallback@0.2.0-beta.8

@gradio/fallback@0.2.1

@gradio/fallback@0.2.2

@gradio/fallback@0.2.3

@gradio/fallback@0.2.4

@gradio/fallback@0.2.5

@gradio/fallback@0.2.6

@gradio/file@0.*

@gradio/file@0.2.0

@gradio/file@0.2.0-beta.8

@gradio/file@0.2.1

@gradio/file@0.2.2

@gradio/file@0.2.3

@gradio/file@0.2.4

@gradio/file@0.2.5

@gradio/file@0.2.6

@gradio/file@0.2.7

@gradio/file@0.3.0

@gradio/file@0.3.1

@gradio/file@0.4.0

@gradio/file@0.4.1

@gradio/file@0.4.2

@gradio/file@0.4.3

@gradio/file@0.4.4

@gradio/form@0.*

@gradio/form@0.1.0

@gradio/form@0.1.0-beta.7

@gradio/form@0.1.1

@gradio/form@0.1.2

@gradio/form@0.1.3

@gradio/form@0.1.4

@gradio/form@0.1.5

@gradio/form@0.1.6

@gradio/gallery@0.*

@gradio/gallery@0.4.0

@gradio/gallery@0.4.0-beta.9

@gradio/gallery@0.4.1

@gradio/gallery@0.4.10

@gradio/gallery@0.4.11

@gradio/gallery@0.4.12

@gradio/gallery@0.4.13

@gradio/gallery@0.4.14

@gradio/gallery@0.4.15

@gradio/gallery@0.4.2

@gradio/gallery@0.4.3

@gradio/gallery@0.4.4

@gradio/gallery@0.4.5

@gradio/gallery@0.4.6

@gradio/gallery@0.4.7

@gradio/gallery@0.4.8

@gradio/gallery@0.4.9

@gradio/group@0.*

@gradio/group@0.1.0

@gradio/group@0.1.0-beta.2

@gradio/highlightedtext@0.*

@gradio/highlightedtext@0.4.0

@gradio/highlightedtext@0.4.0-beta.8

@gradio/highlightedtext@0.4.1

@gradio/highlightedtext@0.4.2

@gradio/highlightedtext@0.4.3

@gradio/highlightedtext@0.4.4

@gradio/highlightedtext@0.4.5

@gradio/highlightedtext@0.4.6

@gradio/html@0.*

@gradio/html@0.1.0

@gradio/html@0.1.0-beta.8

@gradio/html@0.1.1

@gradio/html@0.1.2

@gradio/html@0.1.3

@gradio/html@0.1.4

@gradio/html@0.1.5

@gradio/html@0.1.6

@gradio/icons@0.*

@gradio/icons@0.2.0

@gradio/icons@0.2.0-beta.3

@gradio/icons@0.2.1

@gradio/icons@0.3.0

@gradio/icons@0.3.1

@gradio/icons@0.3.2

@gradio/image@0.*

@gradio/image@0.3.0

@gradio/image@0.3.0-beta.9

@gradio/image@0.3.1

@gradio/image@0.3.2

@gradio/image@0.3.3

@gradio/image@0.3.4

@gradio/image@0.3.5

@gradio/image@0.3.6

@gradio/image@0.4.0

@gradio/image@0.4.1

@gradio/image@0.4.2

@gradio/image@0.5.0

@gradio/image@0.5.1

@gradio/image@0.5.2

@gradio/image@0.5.3

@gradio/image@0.5.4

@gradio/imageeditor@0.*

@gradio/imageeditor@0.0.1

@gradio/imageeditor@0.1.0

@gradio/imageeditor@0.1.1

@gradio/imageeditor@0.1.2

@gradio/imageeditor@0.1.3

@gradio/imageeditor@0.1.4

@gradio/imageeditor@0.1.5

@gradio/imageeditor@0.2.0

@gradio/imageeditor@0.2.1

@gradio/json@0.*

@gradio/json@0.1.0

@gradio/json@0.1.0-beta.8

@gradio/json@0.1.1

@gradio/json@0.1.2

@gradio/json@0.1.3

@gradio/json@0.1.4

@gradio/json@0.1.5

@gradio/json@0.1.6

@gradio/label@0.*

@gradio/label@0.2.0

@gradio/label@0.2.0-beta.8

@gradio/label@0.2.1

@gradio/label@0.2.2

@gradio/label@0.2.3

@gradio/label@0.2.4

@gradio/label@0.2.5

@gradio/label@0.2.6

@gradio/lite@0.*

@gradio/lite@0.3.1

@gradio/lite@0.3.2

@gradio/lite@0.4.0

@gradio/lite@0.4.1

@gradio/lite@0.4.2

@gradio/lite@0.4.3

@gradio/markdown@0.*

@gradio/markdown@0.3.0

@gradio/markdown@0.3.0-beta.8

@gradio/markdown@0.3.1

@gradio/markdown@0.3.2

@gradio/markdown@0.3.3

@gradio/markdown@0.3.4

@gradio/markdown@0.4.0

@gradio/markdown@0.4.1

@gradio/markdown@0.5.0

@gradio/markdown@0.6.0

@gradio/model3d@0.*

@gradio/model3d@0.3.0

@gradio/model3d@0.3.0-beta.8

@gradio/model3d@0.3.1

@gradio/model3d@0.4.0

@gradio/model3d@0.4.1

@gradio/model3d@0.4.10

@gradio/model3d@0.4.11

@gradio/model3d@0.4.12

@gradio/model3d@0.4.2

@gradio/model3d@0.4.3

@gradio/model3d@0.4.4

@gradio/model3d@0.4.5

@gradio/model3d@0.4.6

@gradio/model3d@0.4.7

@gradio/model3d@0.4.8

@gradio/model3d@0.4.9

@gradio/number@0.*

@gradio/number@0.3.0

@gradio/number@0.3.0-beta.8

@gradio/number@0.3.1

@gradio/number@0.3.2

@gradio/number@0.3.3

@gradio/number@0.3.4

@gradio/number@0.3.5

@gradio/number@0.3.6

@gradio/plot@0.*

@gradio/plot@0.2.0

@gradio/plot@0.2.0-beta.8

@gradio/plot@0.2.1

@gradio/plot@0.2.2

@gradio/plot@0.2.3

@gradio/plot@0.2.4

@gradio/plot@0.2.5

@gradio/plot@0.2.6

@gradio/preview@0.*

@gradio/preview@0.1.0

@gradio/preview@0.1.0-beta.8

@gradio/preview@0.1.1

@gradio/preview@0.2.0

@gradio/preview@0.2.1

@gradio/preview@0.2.2

@gradio/preview@0.3.0

@gradio/preview@0.4.0

@gradio/preview@0.5.0

@gradio/preview@0.6.0

@gradio/radio@0.*

@gradio/radio@0.3.0

@gradio/radio@0.3.0-beta.8

@gradio/radio@0.3.1

@gradio/radio@0.3.2

@gradio/radio@0.3.3

@gradio/radio@0.3.4

@gradio/radio@0.3.5

@gradio/radio@0.3.6

@gradio/radio@0.3.7

@gradio/row@0.*

@gradio/row@0.1.0

@gradio/row@0.1.0-beta.2

@gradio/row@0.1.1

@gradio/simpledropdown@0.*

@gradio/simpledropdown@0.1.0

@gradio/simpledropdown@0.1.0-beta.3

@gradio/simpledropdown@0.1.1

@gradio/simpledropdown@0.1.2

@gradio/simpledropdown@0.1.3

@gradio/simpledropdown@0.1.4

@gradio/simpledropdown@0.1.5

@gradio/simpledropdown@0.1.6

@gradio/simpletextbox@0.*

@gradio/simpletextbox@0.1.0

@gradio/simpletextbox@0.1.0-beta.2

@gradio/simpletextbox@0.1.1

@gradio/simpletextbox@0.1.2

@gradio/simpletextbox@0.1.3

@gradio/simpletextbox@0.1.4

@gradio/simpletextbox@0.1.5

@gradio/simpletextbox@0.1.6

@gradio/slider@0.*

@gradio/slider@0.2.0

@gradio/slider@0.2.0-beta.8

@gradio/slider@0.2.1

@gradio/slider@0.2.2

@gradio/slider@0.2.3

@gradio/slider@0.2.4

@gradio/slider@0.2.5

@gradio/slider@0.2.6

@gradio/state@0.*

@gradio/state@0.1.0

@gradio/state@0.1.0-beta.2

@gradio/statustracker@0.*

@gradio/statustracker@0.3.0

@gradio/statustracker@0.3.0-beta.8

@gradio/statustracker@0.3.1

@gradio/statustracker@0.3.2

@gradio/statustracker@0.4.0

@gradio/statustracker@0.4.1

@gradio/statustracker@0.4.2

@gradio/statustracker@0.4.3

@gradio/tabitem@0.*

@gradio/tabitem@0.1.0

@gradio/tabitem@0.1.0-beta.8

@gradio/tabs@0.*

@gradio/tabs@0.1.0

@gradio/tabs@0.1.0-beta.8

@gradio/textbox@0.*

@gradio/textbox@0.4.0

@gradio/textbox@0.4.0-beta.8

@gradio/textbox@0.4.1

@gradio/textbox@0.4.2

@gradio/textbox@0.4.3

@gradio/textbox@0.4.4

@gradio/textbox@0.4.5

@gradio/textbox@0.4.6

@gradio/textbox@0.4.7

@gradio/theme@0.*

@gradio/theme@0.2.0

@gradio/theme@0.2.0-beta.2

@gradio/tooltip@0.*

@gradio/tooltip@0.1.0

@gradio/tooltip@0.1.0-beta.2

@gradio/tootils@0.*

@gradio/tootils@0.1.0

@gradio/tootils@0.1.0-beta.7

@gradio/tootils@0.1.1

@gradio/tootils@0.1.2

@gradio/tootils@0.1.3

@gradio/tootils@0.1.4

@gradio/tootils@0.1.5

@gradio/tootils@0.1.6

@gradio/tootils@0.1.7

@gradio/upload@0.*

@gradio/upload@0.3.0

@gradio/upload@0.3.0-beta.6

@gradio/upload@0.3.1

@gradio/upload@0.3.2

@gradio/upload@0.3.3

@gradio/upload@0.4.0

@gradio/upload@0.4.1

@gradio/upload@0.4.2

@gradio/upload@0.5.0

@gradio/upload@0.5.1

@gradio/upload@0.5.2

@gradio/upload@0.5.3

@gradio/upload@0.5.4

@gradio/upload@0.5.5

@gradio/upload@0.5.6

@gradio/upload@0.5.7

@gradio/uploadbutton@0.*

@gradio/uploadbutton@0.1.0

@gradio/uploadbutton@0.1.0-beta.7

@gradio/uploadbutton@0.1.1

@gradio/uploadbutton@0.1.2

@gradio/uploadbutton@0.1.3

@gradio/uploadbutton@0.1.4

@gradio/uploadbutton@0.1.5

@gradio/uploadbutton@0.2.0

@gradio/uploadbutton@0.2.1

@gradio/uploadbutton@0.2.2

@gradio/uploadbutton@0.3.0

@gradio/uploadbutton@0.3.1

@gradio/uploadbutton@0.3.2

@gradio/uploadbutton@0.3.3

@gradio/uploadbutton@0.3.4

@gradio/uploadbutton@0.3.5

@gradio/utils@0.*

@gradio/utils@0.2.0

@gradio/utils@0.2.0-beta.6

@gradio/video@0.*

@gradio/video@0.1.0

@gradio/video@0.1.0-beta.9

@gradio/video@0.1.1

@gradio/video@0.1.2

@gradio/video@0.1.3

@gradio/video@0.1.4

@gradio/video@0.1.5

@gradio/video@0.1.6

@gradio/video@0.1.7

@gradio/video@0.1.8

@gradio/video@0.1.9

@gradio/video@0.2.0

@gradio/video@0.2.1

@gradio/video@0.2.2

@gradio/video@0.2.3

@gradio/video@0.2.4

@gradio/wasm@0.*

@gradio/wasm@0.2.0

@gradio/wasm@0.2.0-beta.2

@gradio/wasm@0.3.0

@gradio/wasm@0.4.0

gradio@3.*

gradio@3.41.0

gradio@3.41.1

gradio@3.41.2

gradio@3.42.0

gradio@3.43.0

gradio@3.43.1

gradio@3.43.2

gradio@3.44.0

gradio@3.44.1

gradio@3.44.2

gradio@3.44.3

gradio@3.44.4

gradio@3.45.0

gradio@3.45.1

gradio@3.45.2

gradio@3.46.0

gradio@3.46.1

gradio@3.47.0

gradio@3.47.1

gradio@3.48.0

gradio@3.49.0

gradio@3.50.0

gradio@3.50.1

gradio@3.50.2

gradio@4.*

gradio@4.0.0

gradio@4.0.0-beta.15

gradio@4.0.1

gradio@4.0.2

gradio@4.1.0

gradio@4.1.1

gradio@4.1.2

gradio@4.10.0

gradio@4.11.0

gradio@4.12.0

gradio@4.2.0

gradio@4.3.0

gradio@4.4.0

gradio@4.4.1

gradio@4.5.0

gradio@4.6.0

gradio@4.7.0

gradio@4.8.0

gradio@4.9.0

gradio@4.9.1

gradio_client@0.*

gradio_client@0.5.0

gradio_client@0.5.1

gradio_client@0.5.2

gradio_client@0.5.3

gradio_client@0.6.0

gradio_client@0.6.1

gradio_client@0.7.0

gradio_client@0.7.0-beta.2

gradio_client@0.7.1

gradio_client@0.7.2

gradio_client@0.7.3

gradio_client@0.8.0

v2.*

v2.3.6

v2.4.0

v2.6.0

v2.7.1

v2.7.5

v2.8.1

v2.9.0

v3.*

v3.0

v3.0.1b120

v3.0.1b121

v3.0.1b123

v3.0.1b150

v3.0.1b300

v3.0.25

v3.0.26

v3.1.0

v3.1.1

v3.1.3

v3.1.3a

v3.1.3a2

v3.1.3a3

v3.1.4

v3.1.4b

v3.1.4b1

v3.1.4b2

v3.1.4b3

v3.1.5

v3.1.6

v3.1.7

v3.1.8b

v3.10.0

v3.10.1

v3.11.0

v3.12.0

v3.12.0b1

v3.12.0b2

v3.12.0b3

v3.12.0b6

v3.12.0b7

v3.13.0

v3.13.0b1

v3.13.1

v3.13.1b0

v3.13.1b1

v3.13.1b2

v3.13.2

v3.14.0

v3.14.0a1

v3.15.0

v3.16.0

v3.16.1

v3.16.1b1

v3.16.2

v3.17.0

v3.17.1

v3.17.1b1

v3.17.1b2

v3.18.0

v3.18.1b1

v3.18.1b2

v3.18.1b3

v3.18.1b4

v3.18.1b5

v3.18.1b6

v3.18.1b7

v3.19.0

v3.19.1

v3.2

v3.2.1b0

v3.2.1b1

v3.2.1b2

v3.20.0

v3.20.0b2

v3.20.1

v3.21.0

v3.22.0

v3.22.1

v3.22.1b1

v3.23.0

v3.23.1b1

v3.23.1b2

v3.23.1b3

v3.24.0

v3.24.1

v3.25.0

v3.25.1b1

v3.25.1b2

v3.26.0

v3.27.0

v3.28.0

v3.28.1

v3.28.2

v3.28.3

v3.28.4b0

v3.29.0

v3.3

v3.3.1

v3.3.b0

v3.30.0

v3.31.0

v3.32.0

v3.33.0

v3.33.1

v3.34.0

v3.35.0

v3.35.1

v3.35.2

v3.36.0

v3.36.1

v3.37.0

v3.38.0

v3.39.0

v3.3b1

v3.4

v3.4.1

v3.40.0

v3.40.1

v3.41.0

v3.4b0

v3.4b1

v3.4b2

v3.4b3

v3.4b5

v3.5

v3.6

v3.6.0b1

v3.6.0b10

v3.6.0b2

v3.6.0b3

v3.6.0b7

v3.7

v3.8

v3.8.1

v3.8.1dev1

v3.8.2

v3.8b1

v3.8b2

v3.9

v3.9.1