Vulnerability Description
The 'deploy-website.yml' workflow in the gradio-app/gradio repository, specifically in the 'main' branch, is vulnerable to secrets exfiltration due to improper authorization. The vulnerability arises from the workflow's explicit checkout and execution of code from a fork, which is unsafe as it allows the running of untrusted code in an environment with access to push to the base repository and access secrets. This flaw could lead to the exfiltration of sensitive secrets such as GITHUB_TOKEN, HF_TOKEN, VERCEL_ORG_ID, VERCEL_PROJECT_ID, COMMENT_TOKEN, AWSACCESSKEYID, AWSSECRETKEY, and VERCEL_TOKEN. The vulnerability is present in the workflow file located at https://github.com/gradio-app/gradio/blob/72f4ca88ab569aae47941b3fb0609e57f2e13a27/.github/workflows/deploy-website.yml.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gradio Project | Gradio | - |
Related Weaknesses (CWE)
References
- https://huntr.com/bounties/59873fbd-5698-4ec3-87f9-5d70c6055d01ExploitThird Party Advisory
- https://huntr.com/bounties/59873fbd-5698-4ec3-87f9-5d70c6055d01ExploitThird Party Advisory
FAQ
What is CVE-2024-4254?
CVE-2024-4254 is a vulnerability with a CVSS score of 7.1 (HIGH). The 'deploy-website.yml' workflow in the gradio-app/gradio repository, specifically in the 'main' branch, is vulnerable to secrets exfiltration due to improper authorization. The vulnerability arises ...
How severe is CVE-2024-4254?
CVE-2024-4254 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-4254?
Check the references section above for vendor advisories and patch information. Affected products include: Gradio Project Gradio.