cvelistv5 - cve-2024-47867

CVE-2024-47867 (GCVE-0-2024-47867)

Vulnerability from cvelistv5 – Published: 2024-10-10 22:19 – Updated: 2024-10-11 15:06

Summary

Gradio is an open-source Python package designed for quick prototyping. This vulnerability is a **lack of integrity check** on the downloaded FRP client, which could potentially allow attackers to introduce malicious code. If an attacker gains access to the remote URL from which the FRP client is downloaded, they could modify the binary without detection, as the Gradio server does not verify the file's checksum or signature. Any users utilizing the Gradio server's sharing mechanism that downloads the FRP client could be affected by this vulnerability, especially those relying on the executable binary for secure data tunneling. There is no direct workaround for this issue without upgrading. However, users can manually validate the integrity of the downloaded FRP client by implementing checksum or signature verification in their own environment to ensure the binary hasn't been tampered with.

Severity ?

2.1 (Low)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

CWE

CWE-345 - Insufficient Verification of Data Authenticity

Assigner

GitHub_M

References

URL

Tags

https://github.com/gradio-app/gradio/security/adv…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	gradio-app	gradio	Affected: < 5.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-47867",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-11T15:06:22.059191Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-11T15:06:32.529Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "gradio",
          "vendor": "gradio-app",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 5.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Gradio is an open-source Python package designed for quick prototyping. This vulnerability is a **lack of integrity check** on the downloaded FRP client, which could potentially allow attackers to introduce malicious code. If an attacker gains access to the remote URL from which the FRP client is downloaded, they could modify the binary without detection, as the Gradio server does not verify the file\u0027s checksum or signature.  Any users utilizing the Gradio server\u0027s sharing mechanism that downloads the FRP client could be affected by this vulnerability, especially those relying on the executable binary for secure data tunneling. There is no direct workaround for this issue without upgrading. However, users can manually validate the integrity of the downloaded FRP client by implementing checksum or signature verification in their own environment to ensure the binary hasn\u0027t been tampered with."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 2.1,
            "baseSeverity": "LOW",
            "privilegesRequired": "HIGH",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-345",
              "description": "CWE-345: Insufficient Verification of Data Authenticity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-10T22:19:11.631Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/gradio-app/gradio/security/advisories/GHSA-8c87-gvhj-xm8m",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-8c87-gvhj-xm8m"
        }
      ],
      "source": {
        "advisory": "GHSA-8c87-gvhj-xm8m",
        "discovery": "UNKNOWN"
      },
      "title": "Lack of integrity check on the downloaded FRP client in Gradio"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-47867",
    "datePublished": "2024-10-10T22:19:11.631Z",
    "dateReserved": "2024-10-04T16:00:09.629Z",
    "dateUpdated": "2024-10-11T15:06:32.529Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:gradio_project:gradio:*:*:*:*:*:python:*:*\", \"versionEndExcluding\": \"5.0.0\", \"matchCriteriaId\": \"32D191C7-095C-427B-832D-C63FE4D4A037\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Gradio is an open-source Python package designed for quick prototyping. This vulnerability is a **lack of integrity check** on the downloaded FRP client, which could potentially allow attackers to introduce malicious code. If an attacker gains access to the remote URL from which the FRP client is downloaded, they could modify the binary without detection, as the Gradio server does not verify the file\u0027s checksum or signature.  Any users utilizing the Gradio server\u0027s sharing mechanism that downloads the FRP client could be affected by this vulnerability, especially those relying on the executable binary for secure data tunneling. There is no direct workaround for this issue without upgrading. However, users can manually validate the integrity of the downloaded FRP client by implementing checksum or signature verification in their own environment to ensure the binary hasn\u0027t been tampered with.\"}, {\"lang\": \"es\", \"value\": \"Gradio es un paquete Python de c\\u00f3digo abierto dise\\u00f1ado para la creaci\\u00f3n r\\u00e1pida de prototipos. Esta vulnerabilidad es una **falta de comprobaci\\u00f3n de integridad** en el cliente FRP descargado, lo que podr\\u00eda permitir a los atacantes introducir c\\u00f3digo malicioso. Si un atacante obtiene acceso a la URL remota desde la que se descarga el cliente FRP, podr\\u00eda modificar el binario sin ser detectado, ya que el servidor Gradio no verifica la suma de comprobaci\\u00f3n ni la firma del archivo. Cualquier usuario que utilice el mecanismo de uso compartido del servidor Gradio que descarga el cliente FRP podr\\u00eda verse afectado por esta vulnerabilidad, especialmente aquellos que dependen del binario ejecutable para la tunelizaci\\u00f3n segura de datos. No existe un workaround directo para este problema sin actualizar. Sin embargo, los usuarios pueden validar manualmente la integridad del cliente FRP descargado implementando la suma de comprobaci\\u00f3n o la verificaci\\u00f3n de la firma en su propio entorno para asegurarse de que el binario no haya sido alterado.\"}]",
      "id": "CVE-2024-47867",
      "lastModified": "2024-11-15T16:44:54.783",
      "metrics": "{\"cvssMetricV40\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"4.0\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\", \"baseScore\": 2.1, \"baseSeverity\": \"LOW\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"vulnerableSystemConfidentiality\": \"LOW\", \"vulnerableSystemIntegrity\": \"LOW\", \"vulnerableSystemAvailability\": \"LOW\", \"subsequentSystemConfidentiality\": \"NONE\", \"subsequentSystemIntegrity\": \"NONE\", \"subsequentSystemAvailability\": \"NONE\", \"exploitMaturity\": \"NOT_DEFINED\", \"confidentialityRequirements\": \"NOT_DEFINED\", \"integrityRequirements\": \"NOT_DEFINED\", \"availabilityRequirements\": \"NOT_DEFINED\", \"modifiedAttackVector\": \"NOT_DEFINED\", \"modifiedAttackComplexity\": \"NOT_DEFINED\", \"modifiedAttackRequirements\": \"NOT_DEFINED\", \"modifiedPrivilegesRequired\": \"NOT_DEFINED\", \"modifiedUserInteraction\": \"NOT_DEFINED\", \"modifiedVulnerableSystemConfidentiality\": \"NOT_DEFINED\", \"modifiedVulnerableSystemIntegrity\": \"NOT_DEFINED\", \"modifiedVulnerableSystemAvailability\": \"NOT_DEFINED\", \"modifiedSubsequentSystemConfidentiality\": \"NOT_DEFINED\", \"modifiedSubsequentSystemIntegrity\": \"NOT_DEFINED\", \"modifiedSubsequentSystemAvailability\": \"NOT_DEFINED\", \"safety\": \"NOT_DEFINED\", \"automatable\": \"NOT_DEFINED\", \"recovery\": \"NOT_DEFINED\", \"valueDensity\": \"NOT_DEFINED\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\"}}], \"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}]}",
      "published": "2024-10-10T23:15:02.640",
      "references": "[{\"url\": \"https://github.com/gradio-app/gradio/security/advisories/GHSA-8c87-gvhj-xm8m\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Analyzed",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-345\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-Other\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-47867\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-10-10T23:15:02.640\",\"lastModified\":\"2024-11-15T16:44:54.783\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Gradio is an open-source Python package designed for quick prototyping. This vulnerability is a **lack of integrity check** on the downloaded FRP client, which could potentially allow attackers to introduce malicious code. If an attacker gains access to the remote URL from which the FRP client is downloaded, they could modify the binary without detection, as the Gradio server does not verify the file\u0027s checksum or signature.  Any users utilizing the Gradio server\u0027s sharing mechanism that downloads the FRP client could be affected by this vulnerability, especially those relying on the executable binary for secure data tunneling. There is no direct workaround for this issue without upgrading. However, users can manually validate the integrity of the downloaded FRP client by implementing checksum or signature verification in their own environment to ensure the binary hasn\u0027t been tampered with.\"},{\"lang\":\"es\",\"value\":\"Gradio es un paquete Python de c\u00f3digo abierto dise\u00f1ado para la creaci\u00f3n r\u00e1pida de prototipos. Esta vulnerabilidad es una **falta de comprobaci\u00f3n de integridad** en el cliente FRP descargado, lo que podr\u00eda permitir a los atacantes introducir c\u00f3digo malicioso. Si un atacante obtiene acceso a la URL remota desde la que se descarga el cliente FRP, podr\u00eda modificar el binario sin ser detectado, ya que el servidor Gradio no verifica la suma de comprobaci\u00f3n ni la firma del archivo. Cualquier usuario que utilice el mecanismo de uso compartido del servidor Gradio que descarga el cliente FRP podr\u00eda verse afectado por esta vulnerabilidad, especialmente aquellos que dependen del binario ejecutable para la tunelizaci\u00f3n segura de datos. No existe un workaround directo para este problema sin actualizar. Sin embargo, los usuarios pueden validar manualmente la integridad del cliente FRP descargado implementando la suma de comprobaci\u00f3n o la verificaci\u00f3n de la firma en su propio entorno para asegurarse de que el binario no haya sido alterado.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":2.1,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-345\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gradio_project:gradio:*:*:*:*:*:python:*:*\",\"versionEndExcluding\":\"5.0.0\",\"matchCriteriaId\":\"32D191C7-095C-427B-832D-C63FE4D4A037\"}]}]}],\"references\":[{\"url\":\"https://github.com/gradio-app/gradio/security/advisories/GHSA-8c87-gvhj-xm8m\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"Lack of integrity check on the downloaded FRP client in Gradio\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-345\", \"lang\": \"en\", \"description\": \"CWE-345: Insufficient Verification of Data Authenticity\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV4_0\": {\"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"vulnConfidentialityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"LOW\", \"vulnAvailabilityImpact\": \"LOW\", \"subConfidentialityImpact\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"baseScore\": 2.1, \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N\", \"version\": \"4.0\"}}], \"references\": [{\"name\": \"https://github.com/gradio-app/gradio/security/advisories/GHSA-8c87-gvhj-xm8m\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/gradio-app/gradio/security/advisories/GHSA-8c87-gvhj-xm8m\"}], \"affected\": [{\"vendor\": \"gradio-app\", \"product\": \"gradio\", \"versions\": [{\"version\": \"\u003c 5.0\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-10-10T22:19:11.631Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Gradio is an open-source Python package designed for quick prototyping. This vulnerability is a **lack of integrity check** on the downloaded FRP client, which could potentially allow attackers to introduce malicious code. If an attacker gains access to the remote URL from which the FRP client is downloaded, they could modify the binary without detection, as the Gradio server does not verify the file\u0027s checksum or signature.  Any users utilizing the Gradio server\u0027s sharing mechanism that downloads the FRP client could be affected by this vulnerability, especially those relying on the executable binary for secure data tunneling. There is no direct workaround for this issue without upgrading. However, users can manually validate the integrity of the downloaded FRP client by implementing checksum or signature verification in their own environment to ensure the binary hasn\u0027t been tampered with.\"}], \"source\": {\"advisory\": \"GHSA-8c87-gvhj-xm8m\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-47867\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-11T15:06:22.059191Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-11T15:06:27.827Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-47867\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2024-10-04T16:00:09.629Z\", \"datePublished\": \"2024-10-10T22:19:11.631Z\", \"dateUpdated\": \"2024-10-11T15:06:32.529Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2024-47867

Vulnerability from fkie_nvd - Published: 2024-10-10 23:15 - Updated: 2024-11-15 16:44

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/gradio-app/gradio/security/advisories/GHSA-8c87-gvhj-xm8m	Vendor Advisory

Impacted products

	Vendor	Product	Version
	gradio_project	gradio	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:gradio_project:gradio:*:*:*:*:*:python:*:*",
              "matchCriteriaId": "32D191C7-095C-427B-832D-C63FE4D4A037",
              "versionEndExcluding": "5.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Gradio is an open-source Python package designed for quick prototyping. This vulnerability is a **lack of integrity check** on the downloaded FRP client, which could potentially allow attackers to introduce malicious code. If an attacker gains access to the remote URL from which the FRP client is downloaded, they could modify the binary without detection, as the Gradio server does not verify the file\u0027s checksum or signature.  Any users utilizing the Gradio server\u0027s sharing mechanism that downloads the FRP client could be affected by this vulnerability, especially those relying on the executable binary for secure data tunneling. There is no direct workaround for this issue without upgrading. However, users can manually validate the integrity of the downloaded FRP client by implementing checksum or signature verification in their own environment to ensure the binary hasn\u0027t been tampered with."
    },
    {
      "lang": "es",
      "value": "Gradio es un paquete Python de c\u00f3digo abierto dise\u00f1ado para la creaci\u00f3n r\u00e1pida de prototipos. Esta vulnerabilidad es una **falta de comprobaci\u00f3n de integridad** en el cliente FRP descargado, lo que podr\u00eda permitir a los atacantes introducir c\u00f3digo malicioso. Si un atacante obtiene acceso a la URL remota desde la que se descarga el cliente FRP, podr\u00eda modificar el binario sin ser detectado, ya que el servidor Gradio no verifica la suma de comprobaci\u00f3n ni la firma del archivo. Cualquier usuario que utilice el mecanismo de uso compartido del servidor Gradio que descarga el cliente FRP podr\u00eda verse afectado por esta vulnerabilidad, especialmente aquellos que dependen del binario ejecutable para la tunelizaci\u00f3n segura de datos. No existe un workaround directo para este problema sin actualizar. Sin embargo, los usuarios pueden validar manualmente la integridad del cliente FRP descargado implementando la suma de comprobaci\u00f3n o la verificaci\u00f3n de la firma en su propio entorno para asegurarse de que el binario no haya sido alterado."
    }
  ],
  "id": "CVE-2024-47867",
  "lastModified": "2024-11-15T16:44:54.783",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 2.1,
          "baseSeverity": "LOW",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "HIGH",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "LOW",
          "vulnConfidentialityImpact": "LOW",
          "vulnIntegrityImpact": "LOW",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-10-10T23:15:02.640",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-8c87-gvhj-xm8m"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-345"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-Other"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

PYSEC-2024-216

Vulnerability from pysec - Published: 2024-10-10 23:15 - Updated: 2025-01-19 22:22

Details

Gradio is an open-source Python package designed for quick prototyping. This vulnerability is a lack of integrity check on the downloaded FRP client, which could potentially allow attackers to introduce malicious code. If an attacker gains access to the remote URL from which the FRP client is downloaded, they could modify the binary without detection, as the Gradio server does not verify the file's checksum or signature. Any users utilizing the Gradio server's sharing mechanism that downloads the FRP client could be affected by this vulnerability, especially those relying on the executable binary for secure data tunneling. There is no direct workaround for this issue without upgrading. However, users can manually validate the integrity of the downloaded FRP client by implementing checksum or signature verification in their own environment to ensure the binary hasn't been tampered with.

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Impacted products

Name	purl
gradio	pkg:pypi/gradio

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "gradio",
        "purl": "pkg:pypi/gradio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.1.0",
        "0.1.1",
        "0.1.2",
        "0.1.3",
        "0.1.4",
        "0.1.5",
        "0.1.6",
        "0.1.7",
        "0.1.8",
        "0.1.9",
        "0.2.0",
        "0.2.1",
        "0.3.0",
        "0.3.1",
        "0.3.2",
        "0.3.3",
        "0.3.4",
        "0.3.5",
        "0.4.0",
        "0.4.1",
        "0.4.2",
        "0.4.4",
        "0.5.0",
        "0.7.0",
        "0.7.1",
        "0.7.2",
        "0.7.3",
        "0.7.4",
        "0.7.5",
        "0.7.6",
        "0.7.7",
        "0.7.8",
        "0.8.0",
        "0.8.1",
        "0.9.0",
        "0.9.1",
        "0.9.2",
        "0.9.3",
        "0.9.4",
        "0.9.5",
        "0.9.6",
        "0.9.7",
        "0.9.8",
        "0.9.9.2",
        "0.9.9.3",
        "0.9.9.5",
        "0.9.9.6",
        "0.9.9.7",
        "0.9.9.8",
        "0.9.9.9",
        "0.9.9.9.2",
        "1.0.0",
        "1.0.0a1",
        "1.0.0a3",
        "1.0.0a4",
        "1.0.1",
        "1.0.2",
        "1.0.3",
        "1.0.4",
        "1.0.5",
        "1.0.6",
        "1.0.7",
        "1.1.0",
        "1.1.1",
        "1.1.2",
        "1.1.3",
        "1.1.4",
        "1.1.5",
        "1.1.6",
        "1.1.8",
        "1.1.8.1",
        "1.1.9",
        "1.2.2",
        "1.2.3",
        "1.3.0",
        "1.3.1",
        "1.3.2",
        "1.4.0",
        "1.4.2",
        "1.4.3",
        "1.4.4",
        "1.5.0",
        "1.5.1",
        "1.5.3",
        "1.5.4",
        "1.6.0",
        "1.6.1",
        "1.6.2",
        "1.6.3",
        "1.6.4",
        "1.7.0",
        "1.7.1",
        "1.7.2",
        "1.7.3",
        "1.7.4",
        "1.7.5",
        "1.7.6",
        "1.7.7",
        "2.0.0",
        "2.0.1",
        "2.0.10",
        "2.0.2",
        "2.0.4",
        "2.0.5",
        "2.0.6",
        "2.0.7",
        "2.0.8",
        "2.0.9",
        "2.1.0",
        "2.1.1",
        "2.1.2",
        "2.1.4",
        "2.1.6",
        "2.1.7",
        "2.2.0",
        "2.2.1",
        "2.2.10",
        "2.2.11",
        "2.2.12",
        "2.2.13",
        "2.2.14",
        "2.2.15",
        "2.2.2",
        "2.2.3",
        "2.2.4",
        "2.2.5",
        "2.2.6",
        "2.2.7",
        "2.2.8",
        "2.2.9a0",
        "2.2.9a2",
        "2.3.0",
        "2.3.0a0",
        "2.3.0b101",
        "2.3.0b102",
        "2.3.0b99",
        "2.3.3",
        "2.3.4",
        "2.3.5",
        "2.3.5b0",
        "2.3.6",
        "2.3.7",
        "2.3.7b0",
        "2.3.7b1",
        "2.3.7b2",
        "2.3.8b0",
        "2.3.9",
        "2.4.0",
        "2.4.0a0",
        "2.4.1",
        "2.4.2",
        "2.4.4",
        "2.4.5",
        "2.4.6",
        "2.4.7b0",
        "2.4.7b2",
        "2.4.7b3",
        "2.4.7b4",
        "2.4.7b5",
        "2.4.7b6",
        "2.4.7b7",
        "2.4.7b8",
        "2.4.7b9",
        "2.5.0",
        "2.5.1",
        "2.5.2",
        "2.5.3",
        "2.5.8a0",
        "2.6.0",
        "2.6.1",
        "2.6.1a0",
        "2.6.1b0",
        "2.6.1b3",
        "2.6.2",
        "2.6.3",
        "2.6.4",
        "2.6.4b0",
        "2.6.4b2",
        "2.6.4b3",
        "2.7.0",
        "2.7.0a101",
        "2.7.0a102",
        "2.7.0b70",
        "2.7.5",
        "2.7.5.1",
        "2.7.5.2",
        "2.7.5.2b0",
        "2.8.0",
        "2.8.0a100",
        "2.8.0b0",
        "2.8.0b10",
        "2.8.0b12",
        "2.8.0b2",
        "2.8.0b20",
        "2.8.0b22",
        "2.8.0b3",
        "2.8.0b4",
        "2.8.0b5",
        "2.8.0b6",
        "2.8.1",
        "2.8.10",
        "2.8.11",
        "2.8.12",
        "2.8.13",
        "2.8.14",
        "2.8.2",
        "2.8.3",
        "2.8.4",
        "2.8.5",
        "2.8.6",
        "2.8.7",
        "2.8.8",
        "2.8.9",
        "2.9.0",
        "2.9.0.1",
        "2.9.0b0",
        "2.9.0b1",
        "2.9.0b10",
        "2.9.0b2",
        "2.9.0b3",
        "2.9.0b5",
        "2.9.0b6",
        "2.9.0b7",
        "2.9.0b8",
        "2.9.0b9",
        "2.9.1",
        "2.9.2",
        "2.9.3",
        "2.9.4",
        "2.9b11",
        "2.9b12",
        "2.9b13",
        "2.9b14",
        "2.9b15",
        "2.9b20",
        "2.9b21",
        "2.9b22",
        "2.9b23",
        "2.9b24",
        "2.9b25",
        "2.9b26",
        "2.9b27",
        "2.9b28",
        "2.9b30",
        "2.9b31",
        "2.9b32",
        "2.9b33",
        "2.9b40",
        "2.9b48",
        "2.9b50",
        "3.0",
        "3.0.1",
        "3.0.10",
        "3.0.10b16",
        "3.0.10b2",
        "3.0.11",
        "3.0.11b1",
        "3.0.12",
        "3.0.13",
        "3.0.13b100",
        "3.0.13b13",
        "3.0.13b15",
        "3.0.14",
        "3.0.15",
        "3.0.16",
        "3.0.17",
        "3.0.18",
        "3.0.18b0",
        "3.0.19",
        "3.0.19b0",
        "3.0.19b1",
        "3.0.19b2",
        "3.0.1b120",
        "3.0.1b121",
        "3.0.1b300",
        "3.0.2",
        "3.0.20",
        "3.0.20.dev0",
        "3.0.21",
        "3.0.22",
        "3.0.23",
        "3.0.23.dev1",
        "3.0.24",
        "3.0.25",
        "3.0.26",
        "3.0.3",
        "3.0.4",
        "3.0.5",
        "3.0.6",
        "3.0.6b1",
        "3.0.6b2",
        "3.0.6b3",
        "3.0.7",
        "3.0.8",
        "3.0.8b1",
        "3.0.9",
        "3.0.9b10",
        "3.0.9b11",
        "3.0.9b20",
        "3.0b0",
        "3.0b1",
        "3.0b10",
        "3.0b2",
        "3.0b5",
        "3.0b6",
        "3.0b8",
        "3.0b9",
        "3.1.0",
        "3.1.1",
        "3.1.2",
        "3.1.3",
        "3.1.3a0",
        "3.1.3a2",
        "3.1.3a3",
        "3.1.3a4",
        "3.1.3a5",
        "3.1.4",
        "3.1.4b0",
        "3.1.4b1",
        "3.1.4b2",
        "3.1.4b3",
        "3.1.4b4",
        "3.1.4b5",
        "3.1.5",
        "3.1.5b1",
        "3.1.5b10",
        "3.1.5b2",
        "3.1.5b3",
        "3.1.5b4",
        "3.1.5b5",
        "3.1.5b7",
        "3.1.5b8",
        "3.1.5b9",
        "3.1.6",
        "3.1.6b1",
        "3.1.7",
        "3.1.8b0",
        "3.1.8b2",
        "3.1.8b3",
        "3.1.8b4",
        "3.1.8b6",
        "3.10.0",
        "3.10.1",
        "3.11.0",
        "3.12.0",
        "3.12.0b1",
        "3.12.0b2",
        "3.12.0b3",
        "3.12.0b6",
        "3.12.0b7",
        "3.13.0",
        "3.13.0b1",
        "3.13.1",
        "3.13.1b0",
        "3.13.1b1",
        "3.13.1b2",
        "3.13.2",
        "3.14.0",
        "3.14.0a1",
        "3.15.0",
        "3.16.0",
        "3.16.1",
        "3.16.1b1",
        "3.16.2",
        "3.17.0",
        "3.17.1",
        "3.17.1b1",
        "3.17.1b2",
        "3.18.0",
        "3.18.1b1",
        "3.18.1b2",
        "3.18.1b3",
        "3.18.1b4",
        "3.18.1b5",
        "3.18.1b6",
        "3.18.1b7",
        "3.19.0",
        "3.19.1",
        "3.2",
        "3.2.1b0",
        "3.2.1b1",
        "3.2.1b2",
        "3.20.0",
        "3.20.0b1",
        "3.20.0b2",
        "3.20.1",
        "3.21.0",
        "3.22.0",
        "3.22.1",
        "3.22.1b1",
        "3.23.0",
        "3.23.1b1",
        "3.23.1b2",
        "3.23.1b3",
        "3.24.0",
        "3.24.1",
        "3.25.0",
        "3.25.1b1",
        "3.25.1b2",
        "3.26.0",
        "3.27.0",
        "3.28.0",
        "3.28.1",
        "3.28.2",
        "3.28.3",
        "3.28.4b0",
        "3.29.0",
        "3.3",
        "3.3.1",
        "3.30.0",
        "3.31.0",
        "3.32.0",
        "3.33.0",
        "3.33.1",
        "3.34.0",
        "3.35.0",
        "3.35.1",
        "3.35.2",
        "3.36.0",
        "3.36.1",
        "3.37.0",
        "3.38.0",
        "3.39.0",
        "3.3b0",
        "3.3b1",
        "3.4",
        "3.4.1",
        "3.40.0",
        "3.40.1",
        "3.41.0",
        "3.41.1",
        "3.41.2",
        "3.42.0",
        "3.43.0",
        "3.43.1",
        "3.43.2",
        "3.44.0",
        "3.44.1",
        "3.44.2",
        "3.44.3",
        "3.44.4",
        "3.45.0",
        "3.45.0b0",
        "3.45.0b10",
        "3.45.0b11",
        "3.45.0b12",
        "3.45.0b13",
        "3.45.0b9",
        "3.45.1",
        "3.45.2",
        "3.46.0",
        "3.46.1",
        "3.47.0",
        "3.47.1",
        "3.48.0",
        "3.49.0",
        "3.4b0",
        "3.4b1",
        "3.4b2",
        "3.4b3",
        "3.4b5",
        "3.5",
        "3.50.0",
        "3.50.1",
        "3.50.2",
        "3.6",
        "3.6.0b1",
        "3.6.0b10",
        "3.6.0b2",
        "3.6.0b3",
        "3.6.0b7",
        "3.7",
        "3.8",
        "3.8.1",
        "3.8.1.dev1",
        "3.8.2",
        "3.8b1",
        "3.8b2",
        "3.9",
        "3.9.1",
        "4.0.0",
        "4.0.0b15",
        "4.0.1",
        "4.0.2",
        "4.1.0",
        "4.1.1",
        "4.1.2",
        "4.10.0",
        "4.11.0",
        "4.12.0",
        "4.13.0",
        "4.14.0",
        "4.15.0",
        "4.16.0",
        "4.17.0",
        "4.18.0",
        "4.19.0",
        "4.19.1",
        "4.19.2",
        "4.2.0",
        "4.20.0",
        "4.20.1",
        "4.21.0",
        "4.22.0",
        "4.23.0",
        "4.24.0",
        "4.25.0",
        "4.26.0",
        "4.27.0",
        "4.28.0",
        "4.28.1",
        "4.28.2",
        "4.28.3",
        "4.29.0",
        "4.3.0",
        "4.31.0",
        "4.31.1",
        "4.31.2",
        "4.31.3",
        "4.31.4",
        "4.31.5",
        "4.32.0",
        "4.32.1",
        "4.32.2",
        "4.33.0",
        "4.35.0",
        "4.36.0",
        "4.36.1",
        "4.37.1",
        "4.37.2",
        "4.38.0",
        "4.38.1",
        "4.39.0",
        "4.4.0",
        "4.4.1",
        "4.40.0",
        "4.41.0",
        "4.42.0",
        "4.43.0",
        "4.44.0",
        "4.44.1",
        "4.5.0",
        "4.7.0",
        "4.7.1",
        "4.8.0",
        "4.9.0",
        "4.9.1",
        "5.0.0b1",
        "5.0.0b10",
        "5.0.0b5",
        "5.0.0b6",
        "5.0.0b7",
        "5.0.0b8",
        "5.0.0b9"
      ]
    }
  ],
  "aliases": [
    "CVE-2024-47867",
    "GHSA-8c87-gvhj-xm8m"
  ],
  "details": "Gradio is an open-source Python package designed for quick prototyping. This vulnerability is a **lack of integrity check** on the downloaded FRP client, which could potentially allow attackers to introduce malicious code. If an attacker gains access to the remote URL from which the FRP client is downloaded, they could modify the binary without detection, as the Gradio server does not verify the file\u0027s checksum or signature.  Any users utilizing the Gradio server\u0027s sharing mechanism that downloads the FRP client could be affected by this vulnerability, especially those relying on the executable binary for secure data tunneling. There is no direct workaround for this issue without upgrading. However, users can manually validate the integrity of the downloaded FRP client by implementing checksum or signature verification in their own environment to ensure the binary hasn\u0027t been tampered with.",
  "id": "PYSEC-2024-216",
  "modified": "2025-01-19T22:22:23.549944+00:00",
  "published": "2024-10-10T23:15:02+00:00",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-8c87-gvhj-xm8m"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8C87-GVHJ-XM8M

Vulnerability from github – Published: 2024-10-10 22:02 – Updated: 2025-01-21 17:18

Summary

Gradio lacks integrity checking on the downloaded FRP client

Details

Impact

This vulnerability is a lack of integrity check on the downloaded FRP client, which could potentially allow attackers to introduce malicious code. If an attacker gains access to the remote URL from which the FRP client is downloaded, they could modify the binary without detection, as the Gradio server does not verify the file's checksum or signature.

Who is impacted?
Any users utilizing the Gradio server's sharing mechanism that downloads the FRP client could be affected by this vulnerability, especially those relying on the executable binary for secure data tunneling.

Patches

Yes, please upgrade to gradio>=5.0, which includes a fix to verify the integrity of the downloaded binary.

Workarounds

There is no direct workaround for this issue without upgrading. However, users can manually validate the integrity of the downloaded FRP client by implementing checksum or signature verification in their own environment to ensure the binary hasn't been tampered with.

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

7.5 (High)


                  
                    CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "gradio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-47867"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345",
      "CWE-494"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-10T22:02:52Z",
    "nvd_published_at": "2024-10-10T23:15:02Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nThis vulnerability is a **lack of integrity check** on the downloaded FRP client, which could potentially allow attackers to introduce malicious code. If an attacker gains access to the remote URL from which the FRP client is downloaded, they could modify the binary without detection, as the Gradio server does not verify the file\u0027s checksum or signature. \n\n**Who is impacted?**  \nAny users utilizing the Gradio server\u0027s sharing mechanism that downloads the FRP client could be affected by this vulnerability, especially those relying on the executable binary for secure data tunneling.\n\n### Patches\nYes, please upgrade to `gradio\u003e=5.0`, which includes a fix to verify the integrity of the downloaded binary.\n\n### Workarounds\nThere is no direct workaround for this issue without upgrading. However, users can manually validate the integrity of the downloaded FRP client by implementing checksum or signature verification in their own environment to ensure the binary hasn\u0027t been tampered with.",
  "id": "GHSA-8c87-gvhj-xm8m",
  "modified": "2025-01-21T17:18:32Z",
  "published": "2024-10-10T22:02:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-8c87-gvhj-xm8m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47867"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gradio-app/gradio"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-216.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Gradio lacks integrity checking on the downloaded FRP client"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-47867 (GCVE-0-2024-47867)

FKIE_CVE-2024-47867

PYSEC-2024-216

GHSA-8C87-GVHJ-XM8M

Impact

Patches

Workarounds

Tags

Sightings

Nomenclature