Bug 1221844 (CVE-2024-1727) - VUL-0: CVE-2024-1727: gradio: To prevent malicious 3rd party websites from making requests to Gradio applications running locally, this PR tightens the CORS rules around Gradio applications.
Summary: VUL-0: CVE-2024-1727: gradio: To prevent malicious 3rd party websites from ma...
Status: RESOLVED INVALID
Alias: CVE-2024-1727
Product: openSUSE Distribution
Classification: openSUSE
Component: Security (show other bugs)
Version: Leap 15.6
Hardware: Other Other
: P3 - Medium : Normal (vote)
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/398581/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-03-22 04:40 UTC by SMASH SMASH
Modified: 2024-04-16 03:53 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-03-22 04:40:44 UTC 
To prevent malicious 3rd party websites from making requests to Gradio applications running locally, this PR tightens the CORS rules around Gradio applications. In particular, it checks to see if the host header is localhost (or one of its aliases) and if so, it requires the origin header (if present) to be localhost (or one of its aliases) as well.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-1727
https://www.cve.org/CVERecord?id=CVE-2024-1727
https://github.com/gradio-app/gradio/commit/84802ee6a4806c25287344dce581f9548a99834a
https://huntr.com/bounties/a94d55fb-0770-4cbe-9b20-97a978a2ffff
Comment 1 Wolfgang Engel 2024-03-27 13:46:50 UTC 
Might there be a confusion between Gradio and gradio-app ?