CVE-2024-4254

moderate-risk
Published 2024-06-04

The 'deploy-website.yml' workflow in the gradio-app/gradio repository, specifically in the 'main' branch, is vulnerable to secrets exfiltration due to improper authorization. The vulnerability arises from the workflow's explicit checkout and execution of code from a fork, which is unsafe as it allows the running of untrusted code in an environment with access to push to the base repository and access secrets. This flaw could lead to the exfiltration of sensitive secrets such as GITHUB_TOKEN, HF_TOKEN, VERCEL_ORG_ID, VERCEL_PROJECT_ID, COMMENT_TOKEN, AWSACCESSKEYID, AWSSECRETKEY, and VERCEL_TOKEN. The vulnerability is present in the workflow file located at https://github.com/gradio-app/gradio/blob/72f4ca88ab569aae47941b3fb0609e57f2e13a27/.github/workflows/deploy-website.yml.

Do I need to act?

-
0.39% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.1/10 High
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Gradio Project

References (2)

Exploit https://huntr.com/bounties/59873fbd-5698-4ec3-87f9-5d70c6055d01
Exploit https://huntr.com/bounties/59873fbd-5698-4ec3-87f9-5d70c6055d01
31
/ 100
moderate-risk
Severity 25/34 · High
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal