1  info:
 2    name: gradio
 3    cve: CVE-2024-39236
 4    summary: Gradio contains a code injection vulnerability via /gradio/component_meta.py
 5    details: |
 6      Gradio v4.36.1 was discovered to contain a code injection vulnerability via the component /gradio/component_meta.py. This vulnerability is triggered via a crafted input.
 7    cvss: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
 8    severity: CRITICAL
 9    security_advise: |
10      1. Upgrade to gradio>=4.36.2
11      2. Review and sanitize all user inputs to prevent code injection
12      3. Monitor for any suspicious activity post-upgrade
13  rule: version == "4.36.1"
14  references:
15    - https://nvd.nist.gov/vuln/detail/CVE-2024-39236
16    - https://github.com/gradio-app/gradio/issues/8853
17    - https://github.com/Aaron911/PoC/blob/main/Gradio.md
18    - https://github.com/advisories/GHSA-9v2f-6vcg-3hgv