https://bugzilla.suse.com/show_bug.cgi?id=1225917 Bug ID: 1225917 Summary: VUL-0: CVE-2024-4253: gradio: command injection within the test-functional.yml workflow Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/408611/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: wolfgang.engel@suse.com Reporter: smash_bz@suse.de QA Contact: security-team@suse.de CC: camila.matos@suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- A command injection vulnerability exists in the gradio-app/gradio repository, specifically within the 'test-functional.yml' workflow. The vulnerability arises due to improper neutralization of special elements used in a command, allowing for unauthorized modification of the base repository or secrets exfiltration. The issue affects versions up to and including '@gradio/video@0.6.12'. The flaw is present in the workflow's handling of GitHub context information, where it echoes the full name of the head repository, the head branch, and the workflow reference without adequate sanitization. This could potentially lead to the exfiltration of sensitive secrets such as 'GITHUB_TOKEN', 'COMMENT_TOKEN', and 'CHROMATIC_PROJECT_TOKEN'. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-4253 https://www.cve.org/CVERecord?id=CVE-2024-4253 https://github.com/gradio-app/gradio/commit/a0e70366a8a406fdd80abb21e8c88a3c... https://huntr.com/bounties/23cb3749-8ae9-4e1a-9023-4a20ca6b675e -- You are receiving this mail because: You are on the CC list for the bug.