CVE-2024-1561

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-1561

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-1561.json

Aliases

GHSA-g9cj-cfpp-4g2x

Published

2024-04-16T00:15:08Z

Modified

2024-05-14T13:08:54.247140Z

Summary

[none]

Details

An issue was discovered in gradio-app/gradio, where the /component_server endpoint improperly allows the invocation of any method on a Component class with attacker-controlled arguments. Specifically, by exploiting the move_resource_to_block_cache() method of the Block class, an attacker can copy any file on the filesystem to a temporary directory and subsequently retrieve it. This vulnerability enables unauthorized local file read access, posing a significant risk especially when the application is exposed to the internet via launch(share=True), thereby allowing remote attackers to read files on the host machine. Furthermore, gradio apps hosted on huggingface.co are also affected, potentially leading to the exposure of sensitive information such as API keys and credentials stored in environment variables.

References

Affected packages

Git / github.com/gradio-app/gradio

Affected ranges

Type: GIT
Repo: https://github.com/gradio-app/gradio
Events: Introduced

0The exact introduced commit is unknown

Fixed

24a583688046867ca8b8b02959c441818bdb34a2

Affected versions

@gradio/atoms@0.*

@gradio/atoms@0.2.0

@gradio/atoms@0.2.0-beta.6

@gradio/atoms@0.2.1

@gradio/atoms@0.2.2

@gradio/atoms@0.3.0

@gradio/atoms@0.3.1

@gradio/atoms@0.4.0

@gradio/atoms@0.4.1

@gradio/audio@0.*

@gradio/audio@0.4.0

@gradio/audio@0.4.0-beta.9

@gradio/audio@0.4.1

@gradio/audio@0.4.2

@gradio/audio@0.4.3

@gradio/audio@0.5.0

@gradio/audio@0.5.1

@gradio/audio@0.5.2

@gradio/audio@0.5.3

@gradio/audio@0.5.4

@gradio/audio@0.5.5

@gradio/audio@0.6.0

@gradio/audio@0.6.1

@gradio/audio@0.6.2

@gradio/audio@0.6.3

@gradio/audio@0.6.4

@gradio/box@0.*

@gradio/box@0.1.0

@gradio/box@0.1.0-beta.7

@gradio/box@0.1.1

@gradio/box@0.1.2

@gradio/box@0.1.3

@gradio/box@0.1.4

@gradio/box@0.1.5

@gradio/box@0.1.6

@gradio/button@0.*

@gradio/button@0.2.0

@gradio/button@0.2.0-beta.7

@gradio/button@0.2.1

@gradio/button@0.2.10

@gradio/button@0.2.11

@gradio/button@0.2.12

@gradio/button@0.2.13

@gradio/button@0.2.14

@gradio/button@0.2.2

@gradio/button@0.2.3

@gradio/button@0.2.4

@gradio/button@0.2.5

@gradio/button@0.2.6

@gradio/button@0.2.7

@gradio/button@0.2.8

@gradio/button@0.2.9

@gradio/chatbot@0.*

@gradio/chatbot@0.4.0

@gradio/chatbot@0.4.0-beta.9

@gradio/chatbot@0.4.1

@gradio/chatbot@0.4.2

@gradio/chatbot@0.4.3

@gradio/chatbot@0.4.4

@gradio/chatbot@0.4.5

@gradio/chatbot@0.4.6

@gradio/chatbot@0.4.7

@gradio/chatbot@0.4.8

@gradio/chatbot@0.5.0

@gradio/chatbot@0.5.1

@gradio/chatbot@0.5.2

@gradio/chatbot@0.5.3

@gradio/chatbot@0.5.4

@gradio/chatbot@0.5.5

@gradio/chatbot@0.5.6

@gradio/checkbox@0.*

@gradio/checkbox@0.2.0

@gradio/checkbox@0.2.0-beta.8

@gradio/checkbox@0.2.1

@gradio/checkbox@0.2.2

@gradio/checkbox@0.2.3

@gradio/checkbox@0.2.4

@gradio/checkbox@0.2.5

@gradio/checkbox@0.2.6

@gradio/checkboxgroup@0.*

@gradio/checkboxgroup@0.3.0

@gradio/checkboxgroup@0.3.0-beta.8

@gradio/checkboxgroup@0.3.1

@gradio/checkboxgroup@0.3.2

@gradio/checkboxgroup@0.3.3

@gradio/checkboxgroup@0.3.4

@gradio/checkboxgroup@0.3.5

@gradio/checkboxgroup@0.3.6

@gradio/checkboxgroup@0.3.7

@gradio/client@0.*

@gradio/client@0.2.1

@gradio/client@0.3.0

@gradio/client@0.3.1

@gradio/client@0.4.0

@gradio/client@0.4.1

@gradio/client@0.4.2

@gradio/client@0.5.0

@gradio/client@0.5.1

@gradio/client@0.5.2

@gradio/client@0.6.0

@gradio/client@0.7.0

@gradio/client@0.7.0-beta.1

@gradio/client@0.7.1

@gradio/client@0.7.2

@gradio/client@0.8.0

@gradio/client@0.8.1

@gradio/client@0.8.2

@gradio/client@0.9.0

@gradio/client@0.9.1

@gradio/client@0.9.2

@gradio/client@0.9.3

@gradio/client@0.9.4

@gradio/code@0.*

@gradio/code@0.2.0

@gradio/code@0.2.0-beta.8

@gradio/code@0.2.1

@gradio/code@0.2.2

@gradio/code@0.2.3

@gradio/code@0.2.4

@gradio/code@0.2.5

@gradio/code@0.2.6

@gradio/code@0.2.7

@gradio/code@0.2.8

@gradio/code@0.2.9

@gradio/code@0.3.0

@gradio/code@0.3.1

@gradio/code@0.3.2

@gradio/code@0.3.3

@gradio/code@0.3.4

@gradio/colorpicker@0.*

@gradio/colorpicker@0.2.0

@gradio/colorpicker@0.2.0-beta.8

@gradio/colorpicker@0.2.1

@gradio/colorpicker@0.2.2

@gradio/colorpicker@0.2.3

@gradio/colorpicker@0.2.4

@gradio/colorpicker@0.2.5

@gradio/colorpicker@0.2.6

@gradio/column@0.*

@gradio/column@0.1.0

@gradio/column@0.1.0-beta.3

@gradio/dataframe@0.*

@gradio/dataframe@0.3.0

@gradio/dataframe@0.3.0-beta.8

@gradio/dataframe@0.3.1

@gradio/dataframe@0.3.10

@gradio/dataframe@0.3.11

@gradio/dataframe@0.3.2

@gradio/dataframe@0.3.3

@gradio/dataframe@0.3.4

@gradio/dataframe@0.3.5

@gradio/dataframe@0.3.6

@gradio/dataframe@0.3.7

@gradio/dataframe@0.3.8

@gradio/dataframe@0.3.9

@gradio/dataframe@0.4.0

@gradio/dataframe@0.4.1

@gradio/dataframe@0.4.2

@gradio/dataframe@0.4.3

@gradio/dataframe@0.4.4

@gradio/dataset@0.*

@gradio/dataset@0.1.0

@gradio/dataset@0.1.0-beta.2

@gradio/dataset@0.1.1

@gradio/dataset@0.1.10

@gradio/dataset@0.1.11

@gradio/dataset@0.1.12

@gradio/dataset@0.1.13

@gradio/dataset@0.1.14

@gradio/dataset@0.1.2

@gradio/dataset@0.1.3

@gradio/dataset@0.1.4

@gradio/dataset@0.1.5

@gradio/dataset@0.1.6

@gradio/dataset@0.1.7

@gradio/dataset@0.1.8

@gradio/dataset@0.1.9

@gradio/dropdown@0.*

@gradio/dropdown@0.3.0

@gradio/dropdown@0.3.0-beta.8

@gradio/dropdown@0.3.1

@gradio/dropdown@0.3.2

@gradio/dropdown@0.3.3

@gradio/dropdown@0.4.0

@gradio/dropdown@0.4.1

@gradio/dropdown@0.4.2

@gradio/dropdown@0.4.3

@gradio/fallback@0.*

@gradio/fallback@0.2.0

@gradio/fallback@0.2.0-beta.8

@gradio/fallback@0.2.1

@gradio/fallback@0.2.2

@gradio/fallback@0.2.3

@gradio/fallback@0.2.4

@gradio/fallback@0.2.5

@gradio/fallback@0.2.6

@gradio/file@0.*

@gradio/file@0.2.0

@gradio/file@0.2.0-beta.8

@gradio/file@0.2.1

@gradio/file@0.2.2

@gradio/file@0.2.3

@gradio/file@0.2.4

@gradio/file@0.2.5

@gradio/file@0.2.6

@gradio/file@0.2.7

@gradio/file@0.3.0

@gradio/file@0.3.1

@gradio/file@0.4.0

@gradio/file@0.4.1

@gradio/file@0.4.2

@gradio/file@0.4.3

@gradio/file@0.4.4

@gradio/form@0.*

@gradio/form@0.1.0

@gradio/form@0.1.0-beta.7

@gradio/form@0.1.1

@gradio/form@0.1.2

@gradio/form@0.1.3

@gradio/form@0.1.4

@gradio/form@0.1.5

@gradio/form@0.1.6

@gradio/gallery@0.*

@gradio/gallery@0.4.0

@gradio/gallery@0.4.0-beta.9

@gradio/gallery@0.4.1

@gradio/gallery@0.4.10

@gradio/gallery@0.4.11

@gradio/gallery@0.4.12

@gradio/gallery@0.4.13

@gradio/gallery@0.4.14

@gradio/gallery@0.4.15

@gradio/gallery@0.4.2

@gradio/gallery@0.4.3

@gradio/gallery@0.4.4

@gradio/gallery@0.4.5

@gradio/gallery@0.4.6

@gradio/gallery@0.4.7

@gradio/gallery@0.4.8

@gradio/gallery@0.4.9

@gradio/group@0.*

@gradio/group@0.1.0

@gradio/group@0.1.0-beta.2

@gradio/highlightedtext@0.*

@gradio/highlightedtext@0.4.0

@gradio/highlightedtext@0.4.0-beta.8

@gradio/highlightedtext@0.4.1

@gradio/highlightedtext@0.4.2

@gradio/highlightedtext@0.4.3

@gradio/highlightedtext@0.4.4

@gradio/highlightedtext@0.4.5

@gradio/highlightedtext@0.4.6

@gradio/html@0.*

@gradio/html@0.1.0

@gradio/html@0.1.0-beta.8

@gradio/html@0.1.1

@gradio/html@0.1.2

@gradio/html@0.1.3

@gradio/html@0.1.4

@gradio/html@0.1.5

@gradio/html@0.1.6

@gradio/icons@0.*

@gradio/icons@0.2.0

@gradio/icons@0.2.0-beta.3

@gradio/icons@0.2.1

@gradio/icons@0.3.0

@gradio/icons@0.3.1

@gradio/icons@0.3.2

@gradio/image@0.*

@gradio/image@0.3.0

@gradio/image@0.3.0-beta.9

@gradio/image@0.3.1

@gradio/image@0.3.2

@gradio/image@0.3.3

@gradio/image@0.3.4

@gradio/image@0.3.5

@gradio/image@0.3.6

@gradio/image@0.4.0

@gradio/image@0.4.1

@gradio/image@0.4.2

@gradio/image@0.5.0

@gradio/image@0.5.1

@gradio/image@0.5.2

@gradio/image@0.5.3

@gradio/image@0.5.4

@gradio/imageeditor@0.*

@gradio/imageeditor@0.0.1

@gradio/imageeditor@0.1.0

@gradio/imageeditor@0.1.1

@gradio/imageeditor@0.1.2

@gradio/imageeditor@0.1.3

@gradio/imageeditor@0.1.4

@gradio/imageeditor@0.1.5

@gradio/imageeditor@0.2.0

@gradio/imageeditor@0.2.1

@gradio/json@0.*

@gradio/json@0.1.0

@gradio/json@0.1.0-beta.8

@gradio/json@0.1.1

@gradio/json@0.1.2

@gradio/json@0.1.3

@gradio/json@0.1.4

@gradio/json@0.1.5

@gradio/json@0.1.6

@gradio/label@0.*

@gradio/label@0.2.0

@gradio/label@0.2.0-beta.8

@gradio/label@0.2.1

@gradio/label@0.2.2

@gradio/label@0.2.3

@gradio/label@0.2.4

@gradio/label@0.2.5

@gradio/label@0.2.6

@gradio/lite@0.*

@gradio/lite@0.3.1

@gradio/lite@0.3.2

@gradio/lite@0.4.0

@gradio/lite@0.4.1

@gradio/lite@0.4.2

@gradio/lite@0.4.3

@gradio/markdown@0.*

@gradio/markdown@0.3.0

@gradio/markdown@0.3.0-beta.8

@gradio/markdown@0.3.1

@gradio/markdown@0.3.2

@gradio/markdown@0.3.3

@gradio/markdown@0.3.4

@gradio/markdown@0.4.0

@gradio/markdown@0.4.1

@gradio/markdown@0.5.0

@gradio/markdown@0.6.0

@gradio/model3d@0.*

@gradio/model3d@0.3.0

@gradio/model3d@0.3.0-beta.8

@gradio/model3d@0.3.1

@gradio/model3d@0.4.0

@gradio/model3d@0.4.1

@gradio/model3d@0.4.10

@gradio/model3d@0.4.11

@gradio/model3d@0.4.12

@gradio/model3d@0.4.2

@gradio/model3d@0.4.3

@gradio/model3d@0.4.4

@gradio/model3d@0.4.5

@gradio/model3d@0.4.6

@gradio/model3d@0.4.7

@gradio/model3d@0.4.8

@gradio/model3d@0.4.9

@gradio/number@0.*

@gradio/number@0.3.0

@gradio/number@0.3.0-beta.8

@gradio/number@0.3.1

@gradio/number@0.3.2

@gradio/number@0.3.3

@gradio/number@0.3.4

@gradio/number@0.3.5

@gradio/number@0.3.6

@gradio/plot@0.*

@gradio/plot@0.2.0

@gradio/plot@0.2.0-beta.8

@gradio/plot@0.2.1

@gradio/plot@0.2.2

@gradio/plot@0.2.3

@gradio/plot@0.2.4

@gradio/plot@0.2.5

@gradio/plot@0.2.6

@gradio/preview@0.*

@gradio/preview@0.1.0

@gradio/preview@0.1.0-beta.8

@gradio/preview@0.1.1

@gradio/preview@0.2.0

@gradio/preview@0.2.1

@gradio/preview@0.2.2

@gradio/preview@0.3.0

@gradio/preview@0.4.0

@gradio/preview@0.5.0

@gradio/preview@0.6.0

@gradio/radio@0.*

@gradio/radio@0.3.0

@gradio/radio@0.3.0-beta.8

@gradio/radio@0.3.1

@gradio/radio@0.3.2

@gradio/radio@0.3.3

@gradio/radio@0.3.4

@gradio/radio@0.3.5

@gradio/radio@0.3.6

@gradio/radio@0.3.7

@gradio/row@0.*

@gradio/row@0.1.0

@gradio/row@0.1.0-beta.2

@gradio/row@0.1.1

@gradio/simpledropdown@0.*

@gradio/simpledropdown@0.1.0

@gradio/simpledropdown@0.1.0-beta.3

@gradio/simpledropdown@0.1.1

@gradio/simpledropdown@0.1.2

@gradio/simpledropdown@0.1.3

@gradio/simpledropdown@0.1.4

@gradio/simpledropdown@0.1.5

@gradio/simpledropdown@0.1.6

@gradio/simpletextbox@0.*

@gradio/simpletextbox@0.1.0

@gradio/simpletextbox@0.1.0-beta.2

@gradio/simpletextbox@0.1.1

@gradio/simpletextbox@0.1.2

@gradio/simpletextbox@0.1.3

@gradio/simpletextbox@0.1.4

@gradio/simpletextbox@0.1.5

@gradio/simpletextbox@0.1.6

@gradio/slider@0.*

@gradio/slider@0.2.0

@gradio/slider@0.2.0-beta.8

@gradio/slider@0.2.1

@gradio/slider@0.2.2

@gradio/slider@0.2.3

@gradio/slider@0.2.4

@gradio/slider@0.2.5

@gradio/slider@0.2.6

@gradio/state@0.*

@gradio/state@0.1.0

@gradio/state@0.1.0-beta.2

@gradio/statustracker@0.*

@gradio/statustracker@0.3.0

@gradio/statustracker@0.3.0-beta.8

@gradio/statustracker@0.3.1

@gradio/statustracker@0.3.2

@gradio/statustracker@0.4.0

@gradio/statustracker@0.4.1

@gradio/statustracker@0.4.2

@gradio/statustracker@0.4.3

@gradio/tabitem@0.*

@gradio/tabitem@0.1.0

@gradio/tabitem@0.1.0-beta.8

@gradio/tabs@0.*

@gradio/tabs@0.1.0

@gradio/tabs@0.1.0-beta.8

@gradio/textbox@0.*

@gradio/textbox@0.4.0

@gradio/textbox@0.4.0-beta.8

@gradio/textbox@0.4.1

@gradio/textbox@0.4.2

@gradio/textbox@0.4.3

@gradio/textbox@0.4.4

@gradio/textbox@0.4.5

@gradio/textbox@0.4.6

@gradio/textbox@0.4.7

@gradio/theme@0.*

@gradio/theme@0.2.0

@gradio/theme@0.2.0-beta.2

@gradio/tooltip@0.*

@gradio/tooltip@0.1.0

@gradio/tooltip@0.1.0-beta.2

@gradio/tootils@0.*

@gradio/tootils@0.1.0

@gradio/tootils@0.1.0-beta.7

@gradio/tootils@0.1.1

@gradio/tootils@0.1.2

@gradio/tootils@0.1.3

@gradio/tootils@0.1.4

@gradio/tootils@0.1.5

@gradio/tootils@0.1.6

@gradio/tootils@0.1.7

@gradio/upload@0.*

@gradio/upload@0.3.0

@gradio/upload@0.3.0-beta.6

@gradio/upload@0.3.1

@gradio/upload@0.3.2

@gradio/upload@0.3.3

@gradio/upload@0.4.0

@gradio/upload@0.4.1

@gradio/upload@0.4.2

@gradio/upload@0.5.0

@gradio/upload@0.5.1

@gradio/upload@0.5.2

@gradio/upload@0.5.3

@gradio/upload@0.5.4

@gradio/upload@0.5.5

@gradio/upload@0.5.6

@gradio/upload@0.5.7

@gradio/uploadbutton@0.*

@gradio/uploadbutton@0.1.0

@gradio/uploadbutton@0.1.0-beta.7

@gradio/uploadbutton@0.1.1

@gradio/uploadbutton@0.1.2

@gradio/uploadbutton@0.1.3

@gradio/uploadbutton@0.1.4

@gradio/uploadbutton@0.1.5

@gradio/uploadbutton@0.2.0

@gradio/uploadbutton@0.2.1

@gradio/uploadbutton@0.2.2

@gradio/uploadbutton@0.3.0

@gradio/uploadbutton@0.3.1

@gradio/uploadbutton@0.3.2

@gradio/uploadbutton@0.3.3

@gradio/uploadbutton@0.3.4

@gradio/uploadbutton@0.3.5

@gradio/utils@0.*

@gradio/utils@0.2.0

@gradio/utils@0.2.0-beta.6

@gradio/video@0.*

@gradio/video@0.1.0

@gradio/video@0.1.0-beta.9

@gradio/video@0.1.1

@gradio/video@0.1.2

@gradio/video@0.1.3

@gradio/video@0.1.4

@gradio/video@0.1.5

@gradio/video@0.1.6

@gradio/video@0.1.7

@gradio/video@0.1.8

@gradio/video@0.1.9

@gradio/video@0.2.0

@gradio/video@0.2.1

@gradio/video@0.2.2

@gradio/video@0.2.3

@gradio/video@0.2.4

@gradio/wasm@0.*

@gradio/wasm@0.2.0

@gradio/wasm@0.2.0-beta.2

@gradio/wasm@0.3.0

@gradio/wasm@0.4.0

gradio@3.*

gradio@3.41.0

gradio@3.41.1

gradio@3.41.2

gradio@3.42.0

gradio@3.43.0

gradio@3.43.1

gradio@3.43.2

gradio@3.44.0

gradio@3.44.1

gradio@3.44.2

gradio@3.44.3

gradio@3.44.4

gradio@3.45.0

gradio@3.45.1

gradio@3.45.2

gradio@3.46.0

gradio@3.46.1

gradio@3.47.0

gradio@3.47.1

gradio@3.48.0

gradio@3.49.0

gradio@3.50.0

gradio@3.50.1

gradio@3.50.2

gradio@4.*

gradio@4.0.0

gradio@4.0.0-beta.15

gradio@4.0.1

gradio@4.0.2

gradio@4.1.0

gradio@4.1.1

gradio@4.1.2

gradio@4.10.0

gradio@4.11.0

gradio@4.12.0

gradio@4.2.0

gradio@4.3.0

gradio@4.4.0

gradio@4.4.1

gradio@4.5.0

gradio@4.6.0

gradio@4.7.0

gradio@4.8.0

gradio@4.9.0

gradio@4.9.1

gradio_client@0.*

gradio_client@0.5.0

gradio_client@0.5.1

gradio_client@0.5.2

gradio_client@0.5.3

gradio_client@0.6.0

gradio_client@0.6.1

gradio_client@0.7.0

gradio_client@0.7.0-beta.2

gradio_client@0.7.1

gradio_client@0.7.2

gradio_client@0.7.3

gradio_client@0.8.0

v2.*

v2.3.6

v2.4.0

v2.6.0

v2.7.1

v2.7.5

v2.8.1

v2.9.0

v3.*

v3.0

v3.0.1b120

v3.0.1b121

v3.0.1b123

v3.0.1b150

v3.0.1b300

v3.0.25

v3.0.26

v3.1.0

v3.1.1

v3.1.3

v3.1.3a

v3.1.3a2

v3.1.3a3

v3.1.4

v3.1.4b

v3.1.4b1

v3.1.4b2

v3.1.4b3

v3.1.5

v3.1.6

v3.1.7

v3.1.8b

v3.10.0

v3.10.1

v3.11.0

v3.12.0

v3.12.0b1

v3.12.0b2

v3.12.0b3

v3.12.0b6

v3.12.0b7

v3.13.0

v3.13.0b1

v3.13.1

v3.13.1b0

v3.13.1b1

v3.13.1b2

v3.13.2

v3.14.0

v3.14.0a1

v3.15.0

v3.16.0

v3.16.1

v3.16.1b1

v3.16.2

v3.17.0

v3.17.1

v3.17.1b1

v3.17.1b2

v3.18.0

v3.18.1b1

v3.18.1b2

v3.18.1b3

v3.18.1b4

v3.18.1b5

v3.18.1b6

v3.18.1b7

v3.19.0

v3.19.1

v3.2

v3.2.1b0

v3.2.1b1

v3.2.1b2

v3.20.0

v3.20.0b2

v3.20.1

v3.21.0

v3.22.0

v3.22.1

v3.22.1b1

v3.23.0

v3.23.1b1

v3.23.1b2

v3.23.1b3

v3.24.0

v3.24.1

v3.25.0

v3.25.1b1

v3.25.1b2

v3.26.0

v3.27.0

v3.28.0

v3.28.1

v3.28.2

v3.28.3

v3.28.4b0

v3.29.0

v3.3

v3.3.1

v3.3.b0

v3.30.0

v3.31.0

v3.32.0

v3.33.0

v3.33.1

v3.34.0

v3.35.0

v3.35.1

v3.35.2

v3.36.0

v3.36.1

v3.37.0

v3.38.0

v3.39.0

v3.3b1

v3.4

v3.4.1

v3.40.0

v3.40.1

v3.41.0

v3.4b0

v3.4b1

v3.4b2

v3.4b3

v3.4b5

v3.5

v3.6

v3.6.0b1

v3.6.0b10

v3.6.0b2

v3.6.0b3

v3.6.0b7

v3.7

v3.8

v3.8.1

v3.8.1dev1

v3.8.2

v3.8b1

v3.8b2

v3.9

v3.9.1