{"data":{"id":"8bb53ace-9248-452a-aa45-d05103959ede","title":"CVE-2024-4254: The 'deploy-website.yml' workflow in the gradio-app/gradio repository, specifically in the 'main' branch, is vulnerable ","summary":"A workflow file (a set of automated tasks) in the Gradio project has a security flaw where it runs code from external copies of the repository without proper safety checks, allowing attackers to steal sensitive secrets (like API keys and authentication tokens). This happens because the workflow trusts and executes code from forks (unauthorized copies of the project) in an environment that has access to the main repository's secrets.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2024-4254","publishedAt":"2024-06-04T16:15:13.710Z","cveId":"CVE-2024-4254","cweIds":["CWE-214"],"cvssScore":null,"cvssSeverity":null,"severity":"high","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["Gradio","HuggingFace"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00565,"patchAvailable":null,"disclosureDate":null,"capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"framework","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}