Status of CVE-2023-41626? / Security contact e-mail not working? about gradio HOT 7 CLOSED

Hi @refiller this issue has been fixed as part of #7503

Also your security team e-mail ([email protected]) did not work

Where did you see this email? This has been replaced with: [email protected]

from gradio.

Hello, that e-mail can be found here https://github.com/gradio-app/gradio/blob/main/SECURITY.md

It's good to hear it's been fixed, is it part of any release yet? It seems like the CVE record thinks even the latest version is still vulnerable.

from gradio.

Yes I’ll issue a CVE advisory but it’s fixed in the latest version: 4.31.4, as well as many older versions

from gradio.

An advisory would be really helpful, thank you!

And thanks for the information too!

from gradio.

Hi @refiller I looked into this and actually the CVE in question is a little unclear. If its referring to GHSA-48cq-79qq-6f7x, then indeed that issue has been patched since gradio==4.19.2 and we have a published advisory for it.

If on the other hand, its referring to users being able to upload arbitrary files to a Gradio app that includes a file upload component (such as gr.File or gr.UploadButton), then this is indeed intentional and would be classified as a "won't fix". This would be similar to a Flask app or FastAPI app accepting any files to be uploaded in a general upload route.

from gradio.

Hello @abidlabs

https://nvd.nist.gov/vuln/detail/CVE-2023-41626 is the one I'm referring to, and it looks like that's the "won't fix" one.

The gist https://gist.github.com/impose1/590472eb0544ef1ec36c8a5a40122adb (apparently that's all it takes to report a vuln) says this:

Gradio v3.27.0 was discovered to contain an arbitrary file upload,Uploading files to the/tmp directory may result in malicious access to website permissions if there are file containing vulnerabilities in other sites on the server.

I'm trying to understand why the author thought this was a High vulnerability.

• What is the problem with this? Can Gradio be tricked into executing something in the /tmp directory or something?
• I don't see a problem with gradio allowing arbitrary file uploads (plenty of things support this)
• I might see the author's point if the server admin could unexpectedly cause an arbitrary code execution situation, as in, if Gradio auto-executes anything in /tmp
• I would not consider it a vulnerability if Gradio e.g. allowed somebody to upload a python file, and then the admin put code in to execute it. That's not Gradio's fault, that's the person using Gradio's fault.

from gradio.

That's an excellent question for the author of that CVE

What is the problem with this? Can Gradio be tricked into executing something in the /tmp directory or something?

Not as far as I know. If a security researcher finds this, and can provide us a PoC, we would treat this as a high-priority security vulnerability

I don't see a problem with gradio allowing arbitrary file uploads (plenty of things support this)
I might see the author's point if the server admin could unexpectedly cause an arbitrary code execution situation, as in, if Gradio auto-executes anything in /tmp
I would not consider it a vulnerability if Gradio e.g. allowed somebody to upload a python file, and then the admin put code in to execute it. That's not Gradio's fault, that's the person using Gradio's fault.

Agreed with these points

from gradio.