CVE-2024-47084
CVSS V2 None
CVSS V3 None
Description
Gradio is an open-source Python package designed for quick prototyping. This vulnerability is related to **CORS origin validation**, where the Gradio server fails to validate the request origin when a cookie is present. This allows an attacker’s website to make unauthorized requests to a local Gradio server. Potentially, attackers can upload files, steal authentication tokens, and access user data if the victim visits a malicious website while logged into Gradio. This impacts users who have deployed Gradio locally and use basic authentication. Users are advised to upgrade to `gradio>4.44` to address this issue. As a workaround, users can manually enforce stricter CORS origin validation by modifying the `CustomCORSMiddleware` class in their local Gradio server code. Specifically, they can bypass the condition that skips CORS validation for requests containing cookies to prevent potential exploitation.
Overview
- CVE ID
- CVE-2024-47084
- Assigner
- GitHub_M
- Vulnerability Status
- PUBLISHED
- Published Version
- 2024-10-10T21:53:51.940Z
- Last Modified Date
- 2024-10-10T21:53:51.940Z
Weakness Enumerations
References
Reference URL | Reference Tags |
---|---|
https://github.com/gradio-app/gradio/security/advisories/GHSA-3c67-5hwx-f6wx | x_refsource_CONFIRM |
Sources
Source Name | Source URL |
---|---|
NIST | https://nvd.nist.gov/vuln/detail/CVE-2024-47084 |
MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47084 |
History
Created | Old Value | New Value | Data Type | Notes |
---|---|---|---|---|
2024-10-11 13:16:59 | Added to TrackCVE |