8.6
CVE-2024-1540
- EPSS 1.98%
- Veröffentlicht 27.03.2024 16:15:09
- Zuletzt bearbeitet 30.07.2025 19:57:13
- Quelle security@huntr.dev
- CVE-Watchlists
- Unerledigt
LoginCommand Injection in gradio-app/gradio via deploy+test-visual.yml workflow
A command injection vulnerability exists in the deploy+test-visual.yml workflow of the gradio-app/gradio repository, due to improper neutralization of special elements used in a command. This vulnerability allows attackers to execute unauthorized commands, potentially leading to unauthorized modification of the base repository or secrets exfiltration. The issue arises from the unsafe handling of GitHub context information within a `run` operation, where expressions inside `${{ }}` are evaluated and substituted before script execution. Remediation involves setting untrusted input values to intermediate environment variables to prevent direct influence on script generation.Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Gradio Project ≫ Gradio SwPlatformpython Version < 2024-02-09
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.98% | 0.779 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.2 | 3.9 | 4.2 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
|
| security@huntr.dev | 8.6 | 3.9 | 4.7 |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
|
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
https://github.com/gradio-app/gradio/commit/d56bb28df80d8db1f33e4acf4f6b2c4f87cb8b28
https://huntr.com/bounties/0e39e974-9a66-476f-91f5-3f37abb03d77