CVE-2021-43831

moderate-risk
Published 2021-12-15

Gradio is an open source framework for building interactive machine learning models and demos. In versions prior to 2.5.0 there is a vulnerability that affects anyone who creates and publicly shares Gradio interfaces. File paths are not restricted and users who receive a Gradio link can access any files on the host computer if they know the file names or file paths. This is limited only by the host operating system. Paths are opened in read only mode. The problem has been patched in gradio 2.5.0.

Do I need to act?

!
30.3% chance of exploitation in next 30 days
EPSS score — higher than 70% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.7/10 High
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Gradio Project

References (4)

Patch https://github.com/gradio-app/gradio/commit/41bd3645bdb616e1248b2167ca83636a2653...
Exploit https://github.com/gradio-app/gradio/security/advisories/GHSA-rhq2-3vr9-6mcr
Patch https://github.com/gradio-app/gradio/commit/41bd3645bdb616e1248b2167ca83636a2653...
Exploit https://github.com/gradio-app/gradio/security/advisories/GHSA-rhq2-3vr9-6mcr
48
/ 100
moderate-risk
Severity 27/34 · High
Exploitability 16/34 · Moderate
Exposure 5/34 · Minimal