Exploitation Summary
CVE-2024-1561 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including DiabloHTB. A Nuclei detection template is also available.
AI-analyzed exploit summary The repository lacks actual exploit code and instead points to an external writeup. The README provides usage instructions but no technical details about the vulnerability itself.
Description
An issue was discovered in gradio-app/gradio, where the `/component_server` endpoint improperly allows the invocation of any method on a `Component` class with attacker-controlled arguments. Specifically, by exploiting the `move_resource_to_block_cache()` method of the `Block` class, an attacker can copy any file on the filesystem to a temporary directory and subsequently retrieve it. This vulnerability enables unauthorized local file read access, posing a significant risk especially when the application is exposed to the internet via `launch(share=True)`, thereby allowing remote attackers to read files on the host machine. Furthermore, gradio apps hosted on `huggingface.co` are also affected, potentially leading to the exposure of sensitive information such as API keys and credentials stored in environment variables.
Exploits (2)
The repository lacks actual exploit code and instead points to an external writeup. The README provides usage instructions but no technical details about the vulnerability itself.
This repository contains a Nuclei template designed to detect CVE-2024-1561, a local file read vulnerability in Gradio. The template sends HTTP requests to check for the presence of arbitrary file read capabilities by attempting to read /etc/passwd.
Nuclei Templates (1)
html:"__gradio_mode__"
References (3)
Scores
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N