CVE-2024-4253

Command Injection in gradio-app/gradio

Severity Score

7.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

A command injection vulnerability exists in the gradio-app/gradio repository, specifically within the 'test-functional.yml' workflow. The vulnerability arises due to improper neutralization of special elements used in a command, allowing for unauthorized modification of the base repository or secrets exfiltration. The issue affects versions up to and including '@gradio/video@0.6.12'. The flaw is present in the workflow's handling of GitHub context information, where it echoes the full name of the head repository, the head branch, and the workflow reference without adequate sanitization. This could potentially lead to the exfiltration of sensitive secrets such as 'GITHUB_TOKEN', 'COMMENT_TOKEN', and 'CHROMATIC_PROJECT_TOKEN'.

Existe una vulnerabilidad de inyección de comandos en el repositorio gradio-app/gradio, específicamente dentro del flujo de trabajo 'test-functional.yml'. La vulnerabilidad surge debido a la neutralización inadecuada de elementos especiales utilizados en un comando, lo que permite la modificación no autorizada del repositorio base o la filtración de secretos. El problema afecta a las versiones hasta '@gradio/video@0.6.12' incluida. La falla está presente en el manejo por parte del flujo de trabajo de la información de contexto de GitHub, donde hace eco del nombre completo del repositorio principal, la rama principal y la referencia del flujo de trabajo sin una desinfección adecuada. Esto podría conducir potencialmente a la filtración de secretos confidenciales como 'GITHUB_TOKEN', 'COMMENT_TOKEN' y 'CHROMATIC_PROJECT_TOKEN'.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-04-26 CVE Reserved
2024-06-04 CVE Published
2024-08-01 CVE Updated
2025-04-15 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

CAPEC

References (2)

URL	Tag	Source
https://github.com/gradio-app/gradio/commit/a0e70366a8a406fdd80abb21e8c88a3c8e682a2b
https://huntr.com/bounties/23cb3749-8ae9-4e1a-9023-4a20ca6b675e

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Gradio Project Search vendor "Gradio Project"		Gradio Search vendor "Gradio Project" for product "Gradio"				*		-		Affected