{"data":{"id":"9cd73914-fffc-4c7b-bfa7-303d0d93828a","title":"CVE-2024-1540: A command injection vulnerability exists in the deploy+test-visual.yml workflow of the gradio-app/gradio repository, due","summary":"CVE-2024-1540 is a command injection vulnerability (a weakness where an attacker can insert malicious commands into code that gets executed) in the gradio-app/gradio repository's workflow file. Attackers could exploit this by manipulating GitHub context information within expressions to run unauthorized commands, potentially stealing secrets or modifying the repository. The vulnerability stems from unsafe handling of variables that are directly substituted into scripts before execution.","solution":"Remediation involves setting untrusted input values to intermediate environment variables to prevent direct influence on script generation.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2024-1540","publishedAt":"2024-03-27T20:15:09.963Z","cveId":"CVE-2024-1540","cweIds":["CWE-77"],"cvssScore":"8.2","cvssSeverity":"high","severity":"high","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["Gradio","gradio-app"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00402,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-88"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality"],"aiComponentTargeted":"framework","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}