CVE-2024-1183

moderate-risk
Published 2024-04-16

An SSRF (Server-Side Request Forgery) vulnerability exists in the gradio-app/gradio repository, allowing attackers to scan and identify open ports within an internal network. By manipulating the 'file' parameter in a GET request, an attacker can discern the status of internal ports based on the presence of a 'Location' header or a 'File not allowed' error in the response.

Do I need to act?

!
65.7% chance of exploitation in next 30 days
EPSS score — higher than 34% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.5/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Gradio Project

References (4)

Patch https://github.com/gradio-app/gradio/commit/2ad3d9e7ec6c8eeea59774265b44f11df739...
Exploit https://huntr.com/bounties/103434f9-87d2-42ea-9907-194a3c25007c
Patch https://github.com/gradio-app/gradio/commit/2ad3d9e7ec6c8eeea59774265b44f11df739...
Exploit https://huntr.com/bounties/103434f9-87d2-42ea-9907-194a3c25007c
48
/ 100
moderate-risk
Severity 24/34 · High
Exploitability 19/34 · Moderate
Exposure 5/34 · Minimal