GHSA-3f95-mxq2-2f63

Source

https://github.com/advisories/GHSA-3f95-mxq2-2f63

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-3f95-mxq2-2f63/GHSA-3f95-mxq2-2f63.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-3f95-mxq2-2f63

Aliases

CVE-2024-1728

Withdrawn

2026-02-03T17:39:05Z

Published

2024-04-10T18:30:48Z

Modified

2026-02-03T17:50:48.961769Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Duplicate Advisory: Gradio Local File Inclusion vulnerability

Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-m842-4qm8-7gpq. This link is maintained to preserve external references.

Original Description

gradio-app/gradio is vulnerable to a local file inclusion vulnerability due to improper validation of user-supplied input in the UploadButton component. Attackers can exploit this vulnerability to read arbitrary files on the filesystem, such as private SSH keys, by manipulating the file path in the request to the /queue/join endpoint. This issue could potentially lead to remote code execution. The vulnerability is present in the handling of file upload paths, allowing attackers to redirect file uploads to unintended locations on the server.

Database specific

{
    "nvd_published_at": "2024-04-10T17:15:53Z",
    "github_reviewed_at": "2024-04-10T22:12:50Z",
    "github_reviewed": true,
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-22"
    ]
}

References

Affected packages

PyPI / gradio

Package

Name: gradio; View open source insights on deps.dev
Purl: pkg:pypi/gradio

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.19.2

Affected versions

0.*

0.1.0

0.1.1

0.1.2

0.1.3

0.1.4

0.1.5

0.1.6

0.1.7

0.1.8

0.1.9

0.2.0

0.2.1

0.3.0

0.3.1

0.3.2

0.3.3

0.3.4

0.3.5

0.4.0

0.4.1

0.4.2

0.4.4

0.5.0

0.7.0

0.7.1

0.7.2

0.7.3

0.7.4

0.7.5

0.7.6

0.7.7

0.7.8

0.8.0

0.8.1

0.9.0

0.9.1

0.9.2

0.9.3

0.9.4

0.9.5

0.9.6

0.9.7

0.9.8

0.9.9.2

0.9.9.3

0.9.9.5

0.9.9.6

0.9.9.7

0.9.9.8

0.9.9.9

0.9.9.9.2

1.*

1.0.0a1

1.0.0a3

1.0.0a4

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6

1.1.8

1.1.8.1

1.1.9

1.2.2

1.2.3

1.3.0

1.3.1

1.3.2

1.4.0

1.4.2

1.4.3

1.4.4

1.5.0

1.5.1

1.5.3

1.5.4

1.6.0

1.6.1

1.6.2

1.6.3

1.6.4

1.7.0

1.7.1

1.7.2

1.7.3

1.7.4

1.7.5

1.7.6

1.7.7

2.*

2.0.0

2.0.1

2.0.2

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.10

2.1.0

2.1.1

2.1.2

2.1.4

2.1.6

2.1.7

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9a0

2.2.9a2

2.2.10

2.2.11

2.2.12

2.2.13

2.2.14

2.2.15

2.3.0a0

2.3.0b99

2.3.0b101

2.3.0b102

2.3.0

2.3.3

2.3.4

2.3.5b0

2.3.5

2.3.6

2.3.7b0

2.3.7b1

2.3.7b2

2.3.7

2.3.8b0

2.3.9

2.4.0a0

2.4.0

2.4.1

2.4.2

2.4.4

2.4.5

2.4.6

2.4.7b0

2.4.7b2

2.4.7b3

2.4.7b4

2.4.7b5

2.4.7b6

2.4.7b7

2.4.7b8

2.4.7b9

2.5.0

2.5.1

2.5.2

2.5.3

2.5.8a0

2.6.0

2.6.1a0

2.6.1b0

2.6.1b3

2.6.1

2.6.2

2.6.3

2.6.4b0

2.6.4b2

2.6.4b3

2.6.4

2.7.0a101

2.7.0a102

2.7.0b70

2.7.0

2.7.5

2.7.5.1

2.7.5.2b0

2.7.5.2

2.8.0a100

2.8.0b0

2.8.0b2

2.8.0b3

2.8.0b4

2.8.0b5

2.8.0b6

2.8.0b10

2.8.0b12

2.8.0b20

2.8.0b22

2.8.0

2.8.1

2.8.2

2.8.3

2.8.4

2.8.5

2.8.6

2.8.7

2.8.8

2.8.9

2.8.10

2.8.11

2.8.12

2.8.13

2.8.14

2.9.0b0

2.9.0b1

2.9.0b2

2.9.0b3

2.9.0b5

2.9.0b6

2.9.0b7

2.9.0b8

2.9.0b9

2.9.0b10

2.9b11

2.9b12

2.9b13

2.9b14

2.9b15

2.9b20

2.9b21

2.9b22

2.9b23

2.9b24

2.9b25

2.9b26

2.9b27

2.9b28

2.9b30

2.9b31

2.9b32

2.9b33

2.9b40

2.9b48

2.9b50

2.9.0

2.9.0.1

2.9.1

2.9.2

2.9.3

2.9.4

3.*

3.0b0

3.0b1

3.0b2

3.0b5

3.0b6

3.0b8

3.0b9

3.0b10

3.0

3.0.1b120

3.0.1b121

3.0.1b300

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6b1

3.0.6b2

3.0.6b3

3.0.6

3.0.7

3.0.8b1

3.0.8

3.0.9b10

3.0.9b11

3.0.9b20

3.0.9

3.0.10b2

3.0.10b16

3.0.10

3.0.11b1

3.0.11

3.0.12

3.0.13b13

3.0.13b15

3.0.13b100

3.0.13

3.0.14

3.0.15

3.0.16

3.0.17

3.0.18b0

3.0.18

3.0.19b0

3.0.19b1

3.0.19b2

3.0.19

3.0.20.dev0

3.0.20

3.0.21

3.0.22

3.0.23.dev1

3.0.23

3.0.24

3.0.25

3.0.26

3.1.0

3.1.1

3.1.2

3.1.3a0

3.1.3a2

3.1.3a3

3.1.3a4

3.1.3a5

3.1.3

3.1.4b0

3.1.4b1

3.1.4b2

3.1.4b3

3.1.4b4

3.1.4b5

3.1.4

3.1.5b1

3.1.5b2

3.1.5b3

3.1.5b4

3.1.5b5

3.1.5b7

3.1.5b8

3.1.5b9

3.1.5b10

3.1.5

3.1.6b1

3.1.6

3.1.7

3.1.8b0

3.1.8b2

3.1.8b3

3.1.8b4

3.1.8b6

3.2

3.2.1b0

3.2.1b1

3.2.1b2

3.3b0

3.3b1

3.3

3.3.1

3.4b0

3.4b1

3.4b2

3.4b3

3.4b5

3.4

3.4.1

3.5

3.6.0b1

3.6.0b2

3.6.0b3

3.6.0b7

3.6.0b10

3.6

3.7

3.8b1

3.8b2

3.8

3.8.1.dev1

3.8.1

3.8.2

3.9

3.9.1

3.10.0

3.10.1

3.11.0

3.12.0b1

3.12.0b2

3.12.0b3

3.12.0b6

3.12.0b7

3.12.0

3.13.0b1

3.13.0

3.13.1b0

3.13.1b1

3.13.1b2

3.13.1

3.13.2

3.14.0a1

3.14.0

3.15.0

3.16.0

3.16.1b1

3.16.1

3.16.2

3.17.0

3.17.1b1

3.17.1b2

3.17.1

3.18.0

3.18.1b1

3.18.1b2

3.18.1b3

3.18.1b4

3.18.1b5

3.18.1b6

3.18.1b7

3.19.0

3.19.1

3.20.0b1

3.20.0b2

3.20.0

3.20.1

3.21.0

3.22.0

3.22.1b1

3.22.1

3.23.0

3.23.1b1

3.23.1b2

3.23.1b3

3.24.0

3.24.1

3.25.0

3.25.1b1

3.25.1b2

3.26.0

3.27.0

3.28.0

3.28.1

3.28.2

3.28.3

3.28.4b0

3.29.0

3.30.0

3.31.0

3.32.0

3.33.0

3.33.1

3.34.0

3.35.0

3.35.1

3.35.2

3.36.0

3.36.1

3.37.0

3.38.0

3.39.0

3.40.0

3.40.1

3.41.0

3.41.1

3.41.2

3.42.0

3.43.0

3.43.1

3.43.2

3.44.0

3.44.1

3.44.2

3.44.3

3.44.4

3.45.0b0

3.45.0b9

3.45.0b10

3.45.0b11

3.45.0b12

3.45.0b13

3.45.0

3.45.1

3.45.2

3.46.0

3.46.1

3.47.0

3.47.1

3.48.0

3.49.0

3.50.0

3.50.1

3.50.2

4.*

4.0.0b15

4.0.0

4.0.1

4.0.2

4.1.0

4.1.1

4.1.2

4.2.0

4.3.0

4.4.0

4.4.1

4.5.0

4.7.0

4.7.1

4.8.0

4.9.0

4.9.1

4.10.0

4.11.0

4.12.0

4.13.0

4.14.0

4.15.0

4.16.0

4.17.0

4.18.0

4.19.0

4.19.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-3f95-mxq2-2f63/GHSA-3f95-mxq2-2f63.json"