CVE-2024-1728

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-1728

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-1728.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-1728

Aliases

GHSA-m842-4qm8-7gpq

Published

2024-04-10T17:07:56.020Z

Modified

2026-05-28T03:55:23.644433105Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Local File Inclusion in gradio-app/gradio

Details

gradio-app/gradio is vulnerable to a local file inclusion vulnerability due to improper validation of user-supplied input in the UploadButton component. Attackers can exploit this vulnerability to read arbitrary files on the filesystem, such as private SSH keys, by manipulating the file path in the request to the /queue/join endpoint. This issue could potentially lead to remote code execution. The vulnerability is present in the handling of file upload paths, allowing attackers to redirect file uploads to unintended locations on the server.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/1xxx/CVE-2024-1728.json",
    "cwe_ids": [
        "CWE-22"
    ],
    "cna_assigner": "@huntr_ai"
}

References

Affected packages

Git / github.com/gradio-app/gradio

Affected ranges

Type: GIT
Repo: https://github.com/gradio-app/gradio
Events: Introduced

bb4126cc243bb3d198b16b85bef867ede830ecaf

Fixed

bacbc70fa1936a5ca2bfd85ab493a4912004b10e

Affected versions

@gradio/accordion@0.*

@gradio/accordion@0.3.1

@gradio/accordion@0.3.2

@gradio/accordion@0.3.3

@gradio/annotatedimage@0.*

@gradio/annotatedimage@0.5.0

@gradio/annotatedimage@0.5.1

@gradio/annotatedimage@0.5.2

@gradio/app@1.*

@gradio/app@1.24.0

@gradio/app@1.25.0

@gradio/app@1.25.1

@gradio/atoms@0.*

@gradio/atoms@0.5.2

@gradio/atoms@0.5.3

@gradio/audio@0.*

@gradio/audio@0.9.0

@gradio/audio@0.9.1

@gradio/audio@0.9.2

@gradio/box@0.*

@gradio/box@0.1.10

@gradio/box@0.1.9

@gradio/button@0.*

@gradio/button@0.2.20

@gradio/button@0.2.21

@gradio/button@0.2.22

@gradio/chatbot@0.*

@gradio/chatbot@0.7.0

@gradio/chatbot@0.7.1

@gradio/chatbot@0.7.2

@gradio/checkbox@0.*

@gradio/checkbox@0.2.10

@gradio/checkbox@0.2.9

@gradio/checkboxgroup@0.*

@gradio/checkboxgroup@0.4.3

@gradio/checkboxgroup@0.4.4

@gradio/client@0.*

@gradio/client@0.12.0

@gradio/client@0.12.1

@gradio/code@0.*

@gradio/code@0.5.0

@gradio/code@0.5.1

@gradio/code@0.5.2

@gradio/colorpicker@0.*

@gradio/colorpicker@0.2.10

@gradio/colorpicker@0.2.9

@gradio/dataframe@0.*

@gradio/dataframe@0.6.1

@gradio/dataframe@0.6.2

@gradio/dataframe@0.6.3

@gradio/dataset@0.*

@gradio/dataset@0.1.20

@gradio/dataset@0.1.21

@gradio/dataset@0.1.22

@gradio/dropdown@0.*

@gradio/dropdown@0.6.0

@gradio/dropdown@0.6.1

@gradio/fallback@0.*

@gradio/fallback@0.2.10

@gradio/fallback@0.2.9

@gradio/file@0.*

@gradio/file@0.5.0

@gradio/file@0.5.1

@gradio/file@0.5.2

@gradio/fileexplorer@0.*

@gradio/fileexplorer@0.3.20

@gradio/fileexplorer@0.3.21

@gradio/fileexplorer@0.3.22

@gradio/form@0.*

@gradio/form@0.1.10

@gradio/form@0.1.9

@gradio/gallery@0.*

@gradio/gallery@0.7.0

@gradio/gallery@0.7.1

@gradio/gallery@0.7.2

@gradio/highlightedtext@0.*

@gradio/highlightedtext@0.4.10

@gradio/highlightedtext@0.4.9

@gradio/html@0.*

@gradio/html@0.1.10

@gradio/html@0.1.9

@gradio/icons@0.*

@gradio/icons@0.3.3

@gradio/image@0.*

@gradio/image@0.9.0

@gradio/image@0.9.1

@gradio/image@0.9.2

@gradio/imageeditor@0.*

@gradio/imageeditor@0.4.0

@gradio/imageeditor@0.4.1

@gradio/imageeditor@0.4.2

@gradio/json@0.*

@gradio/json@0.1.10

@gradio/json@0.1.9

@gradio/label@0.*

@gradio/label@0.2.10

@gradio/label@0.2.9

@gradio/markdown@0.*

@gradio/markdown@0.6.3

@gradio/markdown@0.6.4

@gradio/model3d@0.*

@gradio/model3d@0.7.0

@gradio/model3d@0.8.0

@gradio/model3d@0.8.1

@gradio/number@0.*

@gradio/number@0.3.10

@gradio/number@0.3.9

@gradio/paramviewer@0.*

@gradio/paramviewer@0.4.2

@gradio/paramviewer@0.4.3

@gradio/plot@0.*

@gradio/plot@0.3.1

@gradio/plot@0.3.2

@gradio/radio@0.*

@gradio/radio@0.4.3

@gradio/radio@0.4.4

@gradio/simpledropdown@0.*

@gradio/simpledropdown@0.1.10

@gradio/simpledropdown@0.1.9

@gradio/simpleimage@0.*

@gradio/simpleimage@0.3.0

@gradio/simpleimage@0.3.1

@gradio/simpleimage@0.3.2

@gradio/simpletextbox@0.*

@gradio/simpletextbox@0.1.10

@gradio/simpletextbox@0.1.9

@gradio/slider@0.*

@gradio/slider@0.2.10

@gradio/slider@0.2.9

@gradio/statustracker@0.*

@gradio/statustracker@0.4.6

@gradio/statustracker@0.4.7

@gradio/tabitem@0.*

@gradio/tabitem@0.2.3

@gradio/tabs@0.*

@gradio/tabs@0.2.3

@gradio/textbox@0.*

@gradio/textbox@0.4.10

@gradio/textbox@0.4.11

@gradio/tootils@0.*

@gradio/tootils@0.2.0

@gradio/tootils@0.2.1

@gradio/tootils@0.2.2

@gradio/upload@0.*

@gradio/upload@0.7.2

@gradio/upload@0.7.3

@gradio/upload@0.7.4

@gradio/uploadbutton@0.*

@gradio/uploadbutton@0.4.5

@gradio/uploadbutton@0.4.6

@gradio/uploadbutton@0.4.7

@gradio/utils@0.*

@gradio/utils@0.3.0

@gradio/video@0.*

@gradio/video@0.6.0

@gradio/video@0.6.1

@gradio/video@0.6.2

gradio@4.*

gradio@4.18.0

gradio@4.19.0

gradio@4.19.1

gradio_client@0.*

gradio_client@0.10.0

gradio_test@0.*

gradio_test@0.3.6

gradio_test@0.3.7

website@0.*

website@0.23.1

website@0.23.2

website@0.23.3

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-1728.json"