Main Vulnerability Database Vulnerabilities #VU61456

Command Injection in Gradio - CVE-2022-24770

Published: March 18, 2022

Vulnerability identifier: #VU61456

CSH Severity: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2022-24770

CWE-ID: CWE-77

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Gradio

Software vendor:
Gradio

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The vulnerability exists due to the CSV injection flaw in the flagging function. A remote unauthenticated attacker can trick a victim to open a specially crafted file and execute arbitrary commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install updates from vendor's website.

External links

https://github.com/gradio-app/gradio/security/advisories/GHSA-f8xq-q7px-wg8c
https://github.com/gradio-app/gradio/pull/817
https://github.com/gradio-app/gradio/commit/80fea89117358ee105973453fdc402398ae20239

Command Injection in Gradio - CVE-2022-24770

Description

Remediation

External links

Please verify you're human