Login Sign Up

CVE-2023-34239

7.3 HIGH
Path Traversal

📋 TL;DR

CVE-2023-34239 is a vulnerability in the Gradio Python library that allows attackers to access arbitrary files on the server and proxy requests to unauthorized URLs due to insufficient path and URL filtering. This affects all users running Gradio applications with the vulnerable versions, particularly those exposing Gradio interfaces to untrusted users.

💻 Affected Systems

Products:
  • gradio
Versions: All versions before 3.34.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All Gradio deployments using vulnerable versions are affected regardless of configuration.

📦 What is this software?

Gradio by Gradio Project

View all CVEs affecting Gradio →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could read sensitive files (e.g., configuration files, credentials) from the server and use the application as a proxy to access internal network resources, potentially leading to data theft and lateral movement.

🟠

Likely Case

Unauthorized file access exposing application source code, configuration files, or other sensitive data stored in accessible paths.

🟢

If Mitigated

If proper network segmentation and access controls are implemented, impact is limited to the application server's filesystem and network reachable from that server.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability requires no authentication and exploitation is straightforward via crafted requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.34.0

Vendor Advisory: https://github.com/gradio-app/gradio/security/advisories/GHSA-3qqg-pgqq-3695

Restart Required: Yes

Instructions:

1. Update Gradio using pip: 'pip install --upgrade gradio==3.34.0' 2. Restart your Gradio application.

🔧 Temporary Workarounds

No workarounds available

all

The vendor advisory states there are no known workarounds for this vulnerability.

🧯 If You Can't Patch

  • Restrict network access to Gradio applications using firewalls to only trusted sources.
  • Monitor application logs for unusual file access patterns or proxy requests to unexpected URLs.

🔍 How to Verify

Check if Vulnerable:

Check Gradio version: 'python -c "import gradio; print(gradio.__version__)"' - if version is below 3.34.0, you are vulnerable.

Check Version:

python -c "import gradio; print(gradio.__version__)"

Verify Fix Applied:

After upgrading, verify version is 3.34.0 or higher using the same command.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file path access patterns in Gradio logs
  • Requests to unexpected URLs via proxy functionality

Network Indicators:

  • Outbound connections from Gradio server to unexpected internal/external destinations

SIEM Query:

source="gradio" AND (path="*../*" OR url="*://*" | where url not in allowed_urls)

📊 Metadata

CVE ID: CVE-2023-34239
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-20
Published: June 8, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-34239, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)
CVE-2023-42802 10.0

This critical vulnerability in GLPI allows attackers to upload malicious PHP files to unauthorized d...

Same vulnerability type (CWE-20)