{"id":"PYSEC-2022-229","details":"`gradio` is an open source framework for building interactive machine learning models and demos. Prior to version 2.8.11, `gradio` suffers from Improper Neutralization of Formula Elements in a CSV File. The `gradio` library has a flagging functionality which saves input/output data into a CSV file on the developer's computer. This can allow a user to save arbitrary text into the CSV file, such as commands. If a program like MS Excel opens such a file, then it automatically runs these commands, which could lead to arbitrary commands running on the user's computer. The problem has been patched as of `2.8.11`, which escapes the saved csv with single quotes. As a workaround, avoid opening csv files generated by `gradio` with Excel or similar spreadsheet programs.","aliases":["CVE-2022-24770","GHSA-f8xq-q7px-wg8c"],"modified":"2023-11-08T04:08:35.736082Z","published":"2022-03-17T21:15:00Z","references":[{"type":"ADVISORY","url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-f8xq-q7px-wg8c"},{"type":"WEB","url":"https://github.com/gradio-app/gradio/pull/817"},{"type":"FIX","url":"https://github.com/gradio-app/gradio/commit/80fea89117358ee105973453fdc402398ae20239"}],"affected":[{"package":{"name":"gradio","ecosystem":"PyPI","purl":"pkg:pypi/gradio"},"ranges":[{"type":"GIT","repo":"https://github.com/gradio-app/gradio","events":[{"introduced":"0"},{"fixed":"80fea89117358ee105973453fdc402398ae20239"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.8.11"}]}],"versions":["0.1.0","0.1.1","0.1.2","0.1.3","0.1.4","0.1.5","0.1.6","0.1.7","0.1.8","0.1.9","0.2.0","0.2.1","0.3.0","0.3.1","0.3.2","0.3.3","0.3.4","0.3.5","0.4.0","0.4.1","0.4.2","0.4.4","0.5.0","0.7.0","0.7.1","0.7.2","0.7.3","0.7.4","0.7.5","0.7.6","0.7.7","0.7.8","0.8.0","0.8.1","0.9.0","0.9.1","0.9.2","0.9.3","0.9.4","0.9.5","0.9.6","0.9.7","0.9.8","0.9.9.2","0.9.9.3","0.9.9.5","0.9.9.6","0.9.9.7","0.9.9.8","0.9.9.9","0.9.9.9.2","1.0.0","1.0.0a1","1.0.0a3","1.0.0a4","1.0.1","1.0.2","1.0.3","1.0.4","1.0.5","1.0.6","1.0.7","1.1.0","1.1.1","1.1.2","1.1.3","1.1.4","1.1.5","1.1.6","1.1.8","1.1.8.1","1.1.9","1.2.2","1.2.3","1.3.0","1.3.1","1.3.2","1.4.0","1.4.2","1.4.3","1.4.4","1.5.0","1.5.1","1.5.3","1.5.4","1.6.0","1.6.1","1.6.2","1.6.3","1.6.4","1.7.0","1.7.1","1.7.2","1.7.3","1.7.4","1.7.5","1.7.6","1.7.7","2.0.0","2.0.1","2.0.10","2.0.2","2.0.4","2.0.5","2.0.6","2.0.7","2.0.8","2.0.9","2.1.0","2.1.1","2.1.2","2.1.4","2.1.6","2.1.7","2.2.0","2.2.1","2.2.10","2.2.11","2.2.12","2.2.13","2.2.14","2.2.15","2.2.2","2.2.3","2.2.4","2.2.5","2.2.6","2.2.7","2.2.8","2.2.9a0","2.2.9a2","2.3.0","2.3.0a0","2.3.0b101","2.3.0b102","2.3.0b99","2.3.3","2.3.4","2.3.5","2.3.5b0","2.3.6","2.3.7","2.3.7b0","2.3.7b1","2.3.7b2","2.3.8b0","2.3.9","2.4.0","2.4.0a0","2.4.1","2.4.2","2.4.4","2.4.5","2.4.6","2.4.7b0","2.4.7b2","2.4.7b3","2.4.7b4","2.4.7b5","2.4.7b6","2.4.7b7","2.4.7b8","2.4.7b9","2.5.0","2.5.1","2.5.2","2.5.3","2.5.8a0","2.6.0","2.6.1","2.6.1a0","2.6.1b0","2.6.1b3","2.6.2","2.6.3","2.6.4","2.6.4b0","2.6.4b2","2.6.4b3","2.7.0","2.7.0a101","2.7.0a102","2.7.0b70","2.7.5","2.7.5.1","2.7.5.2","2.7.5.2b0","2.8.0","2.8.0a100","2.8.0b0","2.8.0b10","2.8.0b12","2.8.0b2","2.8.0b20","2.8.0b22","2.8.0b3","2.8.0b4","2.8.0b5","2.8.0b6","2.8.1","2.8.10","2.8.2","2.8.3","2.8.4","2.8.5","2.8.6","2.8.7","2.8.8","2.8.9"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/gradio/PYSEC-2022-229.yaml"}}],"schema_version":"1.7.3"}