CVE-2022-24770 : `gradio` is an open source framework for building interactive machine learning m

`gradio` is an open source framework for building interactive machine learning models and demos. Prior to version 2.8.11, `gradio` suffers from Improper Neutralization of Formula Elements in a CSV File. The `gradio` library has a flagging functionality which saves input/output data into a CSV file on the developer's computer. This can allow a user to save arbitrary text into the CSV file, such as commands. If a program like MS Excel opens such a file, then it automatically runs these commands, which could lead to arbitrary commands running on the user's computer. The problem has been patched as of `2.8.11`, which escapes the saved csv with single quotes. As a workaround, avoid opening csv files generated by `gradio` with Excel or similar spreadsheet programs.

Published 2022-03-17 21:15:08

Updated 2022-03-24 13:00:22

Source GitHub, Inc.

View at NVD, CVE.org

Products affected by CVE-2022-24770

Gradio Project » Gradio » For Python
Versions before (<) 2.8.11
cpe:2.3:a:gradio_project:gradio:*:*:*:*:*:python:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-24770

EPSS FAQ

0.56%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 67 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-24770

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	2.8	5.9	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2022-24770

CWE-1236 Improper Neutralization of Formula Elements in a CSV File

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

Assigned by: security-advisories@github.com (Primary)

References for CVE-2022-24770

https://github.com/gradio-app/gradio/commit/80fea89117358ee105973453fdc402398ae20239

Merge pull request #817 from gradio-app/csv-sec · gradio-app/gradio@80fea89 · GitHub
Patch;Third Party Advisory
https://github.com/gradio-app/gradio/pull/817

Sanitize flagging inputs before writing to csv by abidlabs · Pull Request #817 · gradio-app/gradio · GitHub
Patch;Third Party Advisory
https://github.com/gradio-app/gradio/security/advisories/GHSA-f8xq-q7px-wg8c

Improper Neutralization of Formula Elements in a CSV File in Gradio Flagging · Advisory · gradio-app/gradio · GitHub
Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-24770

Products affected by CVE-2022-24770

Exploit prediction scoring system (EPSS) score for CVE-2022-24770

CVSS scores for CVE-2022-24770

CWE ids for CVE-2022-24770

References for CVE-2022-24770