Use of Hard-coded Credentials Affecting gradio package, versions [,3.13.1)


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.09% (27th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Use of Hard-coded Credentials vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-PYTHON-GRADIO-3330769
  • published24 Feb 2023
  • disclosed23 Feb 2023
  • creditGreg Sadetsky, Samuel Tremblay-Cossette

Introduced: 23 Feb 2023

CVE-2023-25823  (opens in a new tab)
CWE-798  (opens in a new tab)

How to fix?

Upgrade gradio to version 3.13.1 or higher.

Overview

gradio is a Python library for easily interacting with trained machine learning models

Affected versions of this package are vulnerable to Use of Hard-coded Credentials when using Gradio's share links (i.e. creating a Gradio app and then setting share=True). A private SSH key is sent to any user that connects to the Gradio machine, which means that a user could access other users' shared Gradio demos.

CVSS Base Scores

version 3.1