SB2024092552 - Multiple vulnerabilities in Gradio
Published: September 25, 2024 Updated: April 28, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Information Exposure Through Timing Discrepancy (CVE-ID: CVE-2024-1729)
CWE-ID: CWE-208 - Information Exposure Through Timing Discrepancy
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to guess the password of password-protected applications.
The vulnerability exists due to observable timing discrepancies in password comparison in the authentication mechanism when processing login attempts. A remote user can send a large number of authentication guesses to guess the password of password-protected applications.
The issue relies on early termination of string comparisons, and the absence of default rate limiting increases the feasibility of brute-force attempts.
2) Improper access control (CVE-ID: CVE-2024-1727)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to upload files to a user's computer.
The vulnerability exists due to improper access control in the upload route when handling cross-origin requests from a third-party website. A remote attacker can host a malicious website that submits a crafted request to the local Gradio application to upload files to a user's computer.
The issue affects users running Gradio applications locally while visiting a third-party website.
3) Improper access control (CVE-ID: CVE-2024-1728)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose arbitrary files from the machine hosting the Gradio application.
The vulnerability exists due to improper access control in the Gradio file access handling when processing modified network requests to the server. A remote user can intercept and modify network requests made by the Gradio app to disclose arbitrary files from the machine hosting the Gradio application.
Only applications exposed through a publicly accessible Gradio link are vulnerable.
Remediation
Install update from vendor's website.