A Server-Side Request Forgery (SSRF) vulnerability exists in the gradio-app/gradio version 4.21.0, specifically within the `/queue/join` endpoint and the `save_url_to_cache` function. The vulnerability arises when the `path` value, obtained from the user and expected to be a URL, is used to make an HTTP request without sufficient validation checks. This flaw allows an attacker to send crafted requests that could lead to unauthorized access to the local network or the AWS metadata endpoint, thereby compromising the security of internal servers.
History

Wed, 09 Oct 2024 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Gradio Project
Gradio Project gradio
CPEs cpe:2.3:a:gradio_project:gradio:*:*:*:*:*:python:*:*
Vendors & Products Gradio Project
Gradio Project gradio
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published: 2024-06-06T17:55:29.815Z

Updated: 2024-08-01T20:40:46.442Z

Reserved: 2024-04-29T19:13:27.531Z

Link: CVE-2024-4325

cve-icon Vulnrichment

Updated: 2024-08-01T20:40:46.442Z

cve-icon NVD

Status : Modified

Published: 2024-06-06T18:15:18.300

Modified: 2024-11-21T09:42:37.733

Link: CVE-2024-4325

cve-icon Redhat

No data.