1212123 – (CVE-2023-34239) VUL-0: CVE-2023-34239: gradio: Make the `/file` and `/proxy` routes more secure

Bug 1212123 (CVE-2023-34239) - VUL-0: CVE-2023-34239: gradio: Make the `/file` and `/proxy` routes more secure

Summary: VUL-0: CVE-2023-34239: gradio: Make the `/file` and `/proxy` routes more secure

Status:	NEW

Alias:	CVE-2023-34239

Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Other (show other bugs)
Version:	Leap 15.4
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal (vote)
Target Milestone:	---
Assignee:	Wolfgang Engel
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-06-08 06:23 UTC by Gianluca Gabrielli
Modified:	2023-06-08 07:15 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Gianluca Gabrielli 2023-06-08 06:23:24 UTC

There are two separate security vulnerabilities here: (1) a security vulnerability that allows users to read arbitrary files on the machines that are running shared Gradio apps (2) the ability of users to use machines that are sharing Gradio apps to proxy arbitrary URLs

References:
https://github.com/gradio-app/gradio/security/advisories/GHSA-3qqg-pgqq-3695