-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Status of CVE-2023-41626? / Security contact e-mail not working? #8337
Comments
Hi @refiller this issue has been fixed as part of #7503
Where did you see this email? This has been replaced with: gradio-team@huggingface.co |
Hello, that e-mail can be found here https://github.com/gradio-app/gradio/blob/main/SECURITY.md It's good to hear it's been fixed, is it part of any release yet? It seems like the CVE record thinks even the latest version is still vulnerable. |
Yes I’ll issue a CVE advisory but it’s fixed in the latest version: 4.31.4, as well as many older versions |
An advisory would be really helpful, thank you! And thanks for the information too! |
Hi @refiller I looked into this and actually the CVE in question is a little unclear. If its referring to GHSA-48cq-79qq-6f7x, then indeed that issue has been patched since If on the other hand, its referring to users being able to upload arbitrary files to a Gradio app that includes a file upload component (such as |
Hello @abidlabs https://nvd.nist.gov/vuln/detail/CVE-2023-41626 is the one I'm referring to, and it looks like that's the "won't fix" one. The gist https://gist.github.com/impose1/590472eb0544ef1ec36c8a5a40122adb (apparently that's all it takes to report a vuln) says this:
I'm trying to understand why the author thought this was a High vulnerability.
|
That's an excellent question for the author of that CVE
Not as far as I know. If a security researcher finds this, and can provide us a PoC, we would treat this as a high-priority security vulnerability
Agreed with these points |
It looks like there is a CVE against Gradio, https://nvd.nist.gov/vuln/detail/CVE-2023-41626 , opened in April.
I haven't been able to find any responses from the Gradio team on this online
It looks like the CVE is based on a malicious file upload, I know some of those tend to get rather tricky / opinionated. Is it the Gradio team's opinion that this is not a real issue? Is this a "won't fix" CVE because they consider it user error?
Also your security team e-mail (team@gradio.app) did not work, I just got an undeliverable mail message back. I'm not sure of any other way to reach out to ask about this. I don't use Discord.
The text was updated successfully, but these errors were encountered: