Security Links
Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates to **Server-Side Request Forgery (SSRF)** in the `/queue/join` endpoint. Gradio’s `async_save_url_to_cache` function allows attackers to force the Gradio server to send HTTP requests to user-controlled URLs. This could enable attackers to target internal servers or services within a local network and possibly exfiltrate data or cause unwanted internal requests. Additionally, the content from these URLs is stored locally, making it easier for attackers to upload potentially malicious files to the server. This impacts users deploying Gradio servers that use components like the Video component which involve URL fetching. Users are advised to upgrade to `gradio>=5` to address this issue. As a workaround, users can disable or heavily restrict URL-based inputs in their Gradio applications to trusted domains only. Additionally, implementing stricter URL validation (such as allowinglist-based validation) and ensuring that local or internal network addresses cannot be requested via the `/queue/join` endpoint can help mitigate the risk of SSRF attacks.

Privacy Policy

Last Updated: Nov 9 2023

Welcome to Security Links! We are committed to protecting your privacy and ensuring you have a positive experience while using our website. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website [security-links.hdks.org] (the "Site"). Please read this Privacy Policy carefully. By accessing or using the Site, you agree to the terms of this Privacy Policy. If you do not agree with the practices described in this policy, please do not use the Site.

Information We Collect

We do not collect any personally identifiable information about you unless you voluntarily submit such information to us through contact forms or email subscriptions. The types of information we may collect include:

  • Contact information (such as your name and email address) if you voluntarily provide it to us through contact forms or email subscriptions.
  • Website usage information, including your IP address, browser type, operating system, referring URLs, access times, and pages visited, collected automatically through cookies and other tracking technologies.

How We Use Your Information

We may use the information we collect for various purposes, including:

  • To provide and maintain the Site.
  • To send you newsletters, marketing communications, and other information that may be of interest to you.
  • To respond to your inquiries, comments, or requests.
  • To improve the user experience on our Site.
  • To monitor and analyze usage patterns and trends.

Cookies and Other Tracking Technologies

We use cookies and similar tracking technologies to track the activity on our Site and hold certain information. Cookies are files with small amounts of data that may include an anonymous unique identifier. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Site.

Disclosure of Your Information

We do not sell, trade, or otherwise transfer your personally identifiable information to outside parties. We may disclose your information to third-party service providers who assist us in operating our website, conducting our business, or servicing you. These third parties are required to maintain the confidentiality of your information.

Links to Other Websites

Our Site may contain links to other websites that are not operated by us. If you click on a third-party link, you will be directed to that third party's site. We strongly advise you to review the Privacy Policy of every site you visit.

Security

We use reasonable security measures to protect against the loss, misuse, and alteration of the information under our control. However, no method of transmission over the Internet or method of electronic storage is completely secure, and we cannot guarantee absolute security.

Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page. You are advised to review this Privacy Policy periodically for any changes.

Contact Us

If you have any questions about this Privacy Policy, please contact us at hdks.bug[at]gmail.com.

By using this Site, you signify your acceptance of this Privacy Policy. If you do not agree to this Privacy Policy, please do not use our Site. Your continued use of the Site following the posting of changes to this Privacy Policy will be deemed your acceptance of those changes.