CVE-2024-39236 — CRITICAL (9.8)

Vulnerability Description

Gradio v4.36.1 was discovered to contain a code injection vulnerability via the component /gradio/component_meta.py. This vulnerability is triggered via a crafted input. NOTE: the supplier disputes this because the report is about a user attacking himself.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Gradio Project	Gradio	4.36.1

Related Weaknesses (CWE)

CWE-94

References

https://github.com/Aaron911/PoC/blob/main/Gradio.mdExploitThird Party Advisory
https://github.com/advisories/GHSA-9v2f-6vcg-3hgvThird Party Advisory
https://github.com/gradio-app/gradio/issues/8853ExploitIssue TrackingVendor Advisory
https://github.com/Aaron911/PoC/blob/main/Gradio.mdExploitThird Party Advisory
https://github.com/advisories/GHSA-9v2f-6vcg-3hgvThird Party Advisory
https://github.com/gradio-app/gradio/issues/8853ExploitIssue TrackingVendor Advisory

FAQ

What is CVE-2024-39236?

CVE-2024-39236 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Gradio v4.36.1 was discovered to contain a code injection vulnerability via the component /gradio/component_meta.py. This vulnerability is triggered via a crafted input. NOTE: the supplier disputes th...

How severe is CVE-2024-39236?

CVE-2024-39236 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2024-39236?

Check the references section above for vendor advisories and patch information. Affected products include: Gradio Project Gradio.