Improper Command Line Parameter Handling Affecting gradio package, versions [,4.18.0)


Severity

0.0
high
0
10

    Threat Intelligence

    Exploit Maturity
    Proof of concept
    EPSS
    0.04% (9th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-GRADIO-6508258
  • published 27 Mar 2024
  • disclosed 27 Mar 2024
  • credit Nikita Stupin

How to fix?

Upgrade gradio to version 4.18.0 or higher.

Overview

gradio is a Python library for easily interacting with trained machine learning models

Affected versions of this package are vulnerable to Improper Command Line Parameter Handling due to improper handling of secrets in the continuous integration (CI) process. An attacker can exfiltrate sensitive information by exploiting the misconfiguration in the CI setup.

References

CVSS Scores

version 3.1
Expand this section

Snyk

8.6 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    Low
  • Availability (A)
    Low