cvelistv5 - cve-2024-47871

CVE-2024-47871 (GCVE-0-2024-47871)

Vulnerability from cvelistv5 – Published: 2024-10-10 22:14 – Updated: 2024-10-11 15:19

Summary

Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves **insecure communication** between the FRP (Fast Reverse Proxy) client and server when Gradio's `share=True` option is used. HTTPS is not enforced on the connection, allowing attackers to intercept and read files uploaded to the Gradio server, as well as modify responses or data sent between the client and server. This impacts users who are sharing Gradio demos publicly over the internet using `share=True` without proper encryption, exposing sensitive data to potential eavesdroppers. Users are advised to upgrade to `gradio>=5` to address this issue. As a workaround, users can avoid using `share=True` in production environments and instead host their Gradio applications on servers with HTTPS enabled to ensure secure communication.

Severity ?

8.2 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CWE

CWE-311 - Missing Encryption of Sensitive Data

Assigner

GitHub_M

References

URL

Tags

https://github.com/gradio-app/gradio/security/adv…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	gradio-app	gradio	Affected: < 5.0.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-47871",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-11T15:19:13.147064Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-11T15:19:21.129Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "gradio",
          "vendor": "gradio-app",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 5.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves **insecure communication** between the FRP (Fast Reverse Proxy) client and server when Gradio\u0027s `share=True` option is used. HTTPS is not enforced on the connection, allowing attackers to intercept and read files uploaded to the Gradio server, as well as modify responses or data sent between the client and server. This impacts users who are sharing Gradio demos publicly over the internet using `share=True` without proper encryption, exposing sensitive data to potential eavesdroppers. Users are advised to upgrade to `gradio\u003e=5` to address this issue. As a workaround, users can avoid using `share=True` in production environments and instead host their Gradio applications on servers with HTTPS enabled to ensure secure communication."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-311",
              "description": "CWE-311: Missing Encryption of Sensitive Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-10T22:14:00.923Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/gradio-app/gradio/security/advisories/GHSA-279j-x4gx-hfrh",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-279j-x4gx-hfrh"
        }
      ],
      "source": {
        "advisory": "GHSA-279j-x4gx-hfrh",
        "discovery": "UNKNOWN"
      },
      "title": "Insecure communication between the FRP client and server in Gradio"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-47871",
    "datePublished": "2024-10-10T22:14:00.923Z",
    "dateReserved": "2024-10-04T16:00:09.629Z",
    "dateUpdated": "2024-10-11T15:19:21.129Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:gradio_project:gradio:*:*:*:*:*:python:*:*\", \"versionEndExcluding\": \"5.0.0\", \"matchCriteriaId\": \"32D191C7-095C-427B-832D-C63FE4D4A037\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves **insecure communication** between the FRP (Fast Reverse Proxy) client and server when Gradio\u0027s `share=True` option is used. HTTPS is not enforced on the connection, allowing attackers to intercept and read files uploaded to the Gradio server, as well as modify responses or data sent between the client and server. This impacts users who are sharing Gradio demos publicly over the internet using `share=True` without proper encryption, exposing sensitive data to potential eavesdroppers. Users are advised to upgrade to `gradio\u003e=5` to address this issue. As a workaround, users can avoid using `share=True` in production environments and instead host their Gradio applications on servers with HTTPS enabled to ensure secure communication.\"}, {\"lang\": \"es\", \"value\": \"Gradio es un paquete Python de c\\u00f3digo abierto dise\\u00f1ado para la creaci\\u00f3n r\\u00e1pida de prototipos. Esta vulnerabilidad implica una **comunicaci\\u00f3n insegura** entre el cliente y el servidor de FRP (Fast Reverse Proxy) cuando se utiliza la opci\\u00f3n `share=True` de Gradio. No se aplica HTTPS en la conexi\\u00f3n, lo que permite a los atacantes interceptar y leer archivos cargados en el servidor de Gradio, as\\u00ed como modificar las respuestas o los datos enviados entre el cliente y el servidor. Esto afecta a los usuarios que comparten demostraciones de Gradio p\\u00fablicamente a trav\\u00e9s de Internet utilizando `share=True` sin el cifrado adecuado, lo que expone los datos confidenciales a posibles esp\\u00edas. Se recomienda a los usuarios que actualicen a `gradio\u0026gt;=5` para solucionar este problema. Como workaround, los usuarios pueden evitar el uso de `share=True` en entornos de producci\\u00f3n y, en su lugar, alojar sus aplicaciones Gradio en servidores con HTTPS habilitado para garantizar una comunicaci\\u00f3n segura.\"}]",
      "id": "CVE-2024-47871",
      "lastModified": "2024-10-17T17:11:31.150",
      "metrics": "{\"cvssMetricV40\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"4.0\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\", \"baseScore\": 8.2, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"vulnerableSystemConfidentiality\": \"HIGH\", \"vulnerableSystemIntegrity\": \"NONE\", \"vulnerableSystemAvailability\": \"NONE\", \"subsequentSystemConfidentiality\": \"NONE\", \"subsequentSystemIntegrity\": \"NONE\", \"subsequentSystemAvailability\": \"NONE\", \"exploitMaturity\": \"NOT_DEFINED\", \"confidentialityRequirements\": \"NOT_DEFINED\", \"integrityRequirements\": \"NOT_DEFINED\", \"availabilityRequirements\": \"NOT_DEFINED\", \"modifiedAttackVector\": \"NOT_DEFINED\", \"modifiedAttackComplexity\": \"NOT_DEFINED\", \"modifiedAttackRequirements\": \"NOT_DEFINED\", \"modifiedPrivilegesRequired\": \"NOT_DEFINED\", \"modifiedUserInteraction\": \"NOT_DEFINED\", \"modifiedVulnerableSystemConfidentiality\": \"NOT_DEFINED\", \"modifiedVulnerableSystemIntegrity\": \"NOT_DEFINED\", \"modifiedVulnerableSystemAvailability\": \"NOT_DEFINED\", \"modifiedSubsequentSystemConfidentiality\": \"NOT_DEFINED\", \"modifiedSubsequentSystemIntegrity\": \"NOT_DEFINED\", \"modifiedSubsequentSystemAvailability\": \"NOT_DEFINED\", \"safety\": \"NOT_DEFINED\", \"automatable\": \"NOT_DEFINED\", \"recovery\": \"NOT_DEFINED\", \"valueDensity\": \"NOT_DEFINED\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\"}}], \"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"baseScore\": 9.1, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.2}]}",
      "published": "2024-10-10T23:15:03.187",
      "references": "[{\"url\": \"https://github.com/gradio-app/gradio/security/advisories/GHSA-279j-x4gx-hfrh\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Analyzed",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-311\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-311\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-47871\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-10-10T23:15:03.187\",\"lastModified\":\"2024-10-17T17:11:31.150\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves **insecure communication** between the FRP (Fast Reverse Proxy) client and server when Gradio\u0027s `share=True` option is used. HTTPS is not enforced on the connection, allowing attackers to intercept and read files uploaded to the Gradio server, as well as modify responses or data sent between the client and server. This impacts users who are sharing Gradio demos publicly over the internet using `share=True` without proper encryption, exposing sensitive data to potential eavesdroppers. Users are advised to upgrade to `gradio\u003e=5` to address this issue. As a workaround, users can avoid using `share=True` in production environments and instead host their Gradio applications on servers with HTTPS enabled to ensure secure communication.\"},{\"lang\":\"es\",\"value\":\"Gradio es un paquete Python de c\u00f3digo abierto dise\u00f1ado para la creaci\u00f3n r\u00e1pida de prototipos. Esta vulnerabilidad implica una **comunicaci\u00f3n insegura** entre el cliente y el servidor de FRP (Fast Reverse Proxy) cuando se utiliza la opci\u00f3n `share=True` de Gradio. No se aplica HTTPS en la conexi\u00f3n, lo que permite a los atacantes interceptar y leer archivos cargados en el servidor de Gradio, as\u00ed como modificar las respuestas o los datos enviados entre el cliente y el servidor. Esto afecta a los usuarios que comparten demostraciones de Gradio p\u00fablicamente a trav\u00e9s de Internet utilizando `share=True` sin el cifrado adecuado, lo que expone los datos confidenciales a posibles esp\u00edas. Se recomienda a los usuarios que actualicen a `gradio\u0026gt;=5` para solucionar este problema. Como workaround, los usuarios pueden evitar el uso de `share=True` en entornos de producci\u00f3n y, en su lugar, alojar sus aplicaciones Gradio en servidores con HTTPS habilitado para garantizar una comunicaci\u00f3n segura.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-311\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-311\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gradio_project:gradio:*:*:*:*:*:python:*:*\",\"versionEndExcluding\":\"5.0.0\",\"matchCriteriaId\":\"32D191C7-095C-427B-832D-C63FE4D4A037\"}]}]}],\"references\":[{\"url\":\"https://github.com/gradio-app/gradio/security/advisories/GHSA-279j-x4gx-hfrh\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"Insecure communication between the FRP client and server in Gradio\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-311\", \"lang\": \"en\", \"description\": \"CWE-311: Missing Encryption of Sensitive Data\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV4_0\": {\"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"baseScore\": 8.2, \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N\", \"version\": \"4.0\"}}], \"references\": [{\"name\": \"https://github.com/gradio-app/gradio/security/advisories/GHSA-279j-x4gx-hfrh\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/gradio-app/gradio/security/advisories/GHSA-279j-x4gx-hfrh\"}], \"affected\": [{\"vendor\": \"gradio-app\", \"product\": \"gradio\", \"versions\": [{\"version\": \"\u003c 5.0.0\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-10-10T22:14:00.923Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves **insecure communication** between the FRP (Fast Reverse Proxy) client and server when Gradio\u0027s `share=True` option is used. HTTPS is not enforced on the connection, allowing attackers to intercept and read files uploaded to the Gradio server, as well as modify responses or data sent between the client and server. This impacts users who are sharing Gradio demos publicly over the internet using `share=True` without proper encryption, exposing sensitive data to potential eavesdroppers. Users are advised to upgrade to `gradio\u003e=5` to address this issue. As a workaround, users can avoid using `share=True` in production environments and instead host their Gradio applications on servers with HTTPS enabled to ensure secure communication.\"}], \"source\": {\"advisory\": \"GHSA-279j-x4gx-hfrh\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-47871\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-11T15:19:13.147064Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-11T15:19:17.361Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-47871\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2024-10-04T16:00:09.629Z\", \"datePublished\": \"2024-10-10T22:14:00.923Z\", \"dateUpdated\": \"2024-10-11T15:19:21.129Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

PYSEC-2024-219

Vulnerability from pysec - Published: 2024-10-10 23:15 - Updated: 2025-01-19 22:22

Details

Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves insecure communication between the FRP (Fast Reverse Proxy) client and server when Gradio's share=True option is used. HTTPS is not enforced on the connection, allowing attackers to intercept and read files uploaded to the Gradio server, as well as modify responses or data sent between the client and server. This impacts users who are sharing Gradio demos publicly over the internet using share=True without proper encryption, exposing sensitive data to potential eavesdroppers. Users are advised to upgrade to gradio>=5 to address this issue. As a workaround, users can avoid using share=True in production environments and instead host their Gradio applications on servers with HTTPS enabled to ensure secure communication.

Severity ?

9.1 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Impacted products

Name	purl
gradio	pkg:pypi/gradio

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "gradio",
        "purl": "pkg:pypi/gradio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.1.0",
        "0.1.1",
        "0.1.2",
        "0.1.3",
        "0.1.4",
        "0.1.5",
        "0.1.6",
        "0.1.7",
        "0.1.8",
        "0.1.9",
        "0.2.0",
        "0.2.1",
        "0.3.0",
        "0.3.1",
        "0.3.2",
        "0.3.3",
        "0.3.4",
        "0.3.5",
        "0.4.0",
        "0.4.1",
        "0.4.2",
        "0.4.4",
        "0.5.0",
        "0.7.0",
        "0.7.1",
        "0.7.2",
        "0.7.3",
        "0.7.4",
        "0.7.5",
        "0.7.6",
        "0.7.7",
        "0.7.8",
        "0.8.0",
        "0.8.1",
        "0.9.0",
        "0.9.1",
        "0.9.2",
        "0.9.3",
        "0.9.4",
        "0.9.5",
        "0.9.6",
        "0.9.7",
        "0.9.8",
        "0.9.9.2",
        "0.9.9.3",
        "0.9.9.5",
        "0.9.9.6",
        "0.9.9.7",
        "0.9.9.8",
        "0.9.9.9",
        "0.9.9.9.2",
        "1.0.0",
        "1.0.0a1",
        "1.0.0a3",
        "1.0.0a4",
        "1.0.1",
        "1.0.2",
        "1.0.3",
        "1.0.4",
        "1.0.5",
        "1.0.6",
        "1.0.7",
        "1.1.0",
        "1.1.1",
        "1.1.2",
        "1.1.3",
        "1.1.4",
        "1.1.5",
        "1.1.6",
        "1.1.8",
        "1.1.8.1",
        "1.1.9",
        "1.2.2",
        "1.2.3",
        "1.3.0",
        "1.3.1",
        "1.3.2",
        "1.4.0",
        "1.4.2",
        "1.4.3",
        "1.4.4",
        "1.5.0",
        "1.5.1",
        "1.5.3",
        "1.5.4",
        "1.6.0",
        "1.6.1",
        "1.6.2",
        "1.6.3",
        "1.6.4",
        "1.7.0",
        "1.7.1",
        "1.7.2",
        "1.7.3",
        "1.7.4",
        "1.7.5",
        "1.7.6",
        "1.7.7",
        "2.0.0",
        "2.0.1",
        "2.0.10",
        "2.0.2",
        "2.0.4",
        "2.0.5",
        "2.0.6",
        "2.0.7",
        "2.0.8",
        "2.0.9",
        "2.1.0",
        "2.1.1",
        "2.1.2",
        "2.1.4",
        "2.1.6",
        "2.1.7",
        "2.2.0",
        "2.2.1",
        "2.2.10",
        "2.2.11",
        "2.2.12",
        "2.2.13",
        "2.2.14",
        "2.2.15",
        "2.2.2",
        "2.2.3",
        "2.2.4",
        "2.2.5",
        "2.2.6",
        "2.2.7",
        "2.2.8",
        "2.2.9a0",
        "2.2.9a2",
        "2.3.0",
        "2.3.0a0",
        "2.3.0b101",
        "2.3.0b102",
        "2.3.0b99",
        "2.3.3",
        "2.3.4",
        "2.3.5",
        "2.3.5b0",
        "2.3.6",
        "2.3.7",
        "2.3.7b0",
        "2.3.7b1",
        "2.3.7b2",
        "2.3.8b0",
        "2.3.9",
        "2.4.0",
        "2.4.0a0",
        "2.4.1",
        "2.4.2",
        "2.4.4",
        "2.4.5",
        "2.4.6",
        "2.4.7b0",
        "2.4.7b2",
        "2.4.7b3",
        "2.4.7b4",
        "2.4.7b5",
        "2.4.7b6",
        "2.4.7b7",
        "2.4.7b8",
        "2.4.7b9",
        "2.5.0",
        "2.5.1",
        "2.5.2",
        "2.5.3",
        "2.5.8a0",
        "2.6.0",
        "2.6.1",
        "2.6.1a0",
        "2.6.1b0",
        "2.6.1b3",
        "2.6.2",
        "2.6.3",
        "2.6.4",
        "2.6.4b0",
        "2.6.4b2",
        "2.6.4b3",
        "2.7.0",
        "2.7.0a101",
        "2.7.0a102",
        "2.7.0b70",
        "2.7.5",
        "2.7.5.1",
        "2.7.5.2",
        "2.7.5.2b0",
        "2.8.0",
        "2.8.0a100",
        "2.8.0b0",
        "2.8.0b10",
        "2.8.0b12",
        "2.8.0b2",
        "2.8.0b20",
        "2.8.0b22",
        "2.8.0b3",
        "2.8.0b4",
        "2.8.0b5",
        "2.8.0b6",
        "2.8.1",
        "2.8.10",
        "2.8.11",
        "2.8.12",
        "2.8.13",
        "2.8.14",
        "2.8.2",
        "2.8.3",
        "2.8.4",
        "2.8.5",
        "2.8.6",
        "2.8.7",
        "2.8.8",
        "2.8.9",
        "2.9.0",
        "2.9.0.1",
        "2.9.0b0",
        "2.9.0b1",
        "2.9.0b10",
        "2.9.0b2",
        "2.9.0b3",
        "2.9.0b5",
        "2.9.0b6",
        "2.9.0b7",
        "2.9.0b8",
        "2.9.0b9",
        "2.9.1",
        "2.9.2",
        "2.9.3",
        "2.9.4",
        "2.9b11",
        "2.9b12",
        "2.9b13",
        "2.9b14",
        "2.9b15",
        "2.9b20",
        "2.9b21",
        "2.9b22",
        "2.9b23",
        "2.9b24",
        "2.9b25",
        "2.9b26",
        "2.9b27",
        "2.9b28",
        "2.9b30",
        "2.9b31",
        "2.9b32",
        "2.9b33",
        "2.9b40",
        "2.9b48",
        "2.9b50",
        "3.0",
        "3.0.1",
        "3.0.10",
        "3.0.10b16",
        "3.0.10b2",
        "3.0.11",
        "3.0.11b1",
        "3.0.12",
        "3.0.13",
        "3.0.13b100",
        "3.0.13b13",
        "3.0.13b15",
        "3.0.14",
        "3.0.15",
        "3.0.16",
        "3.0.17",
        "3.0.18",
        "3.0.18b0",
        "3.0.19",
        "3.0.19b0",
        "3.0.19b1",
        "3.0.19b2",
        "3.0.1b120",
        "3.0.1b121",
        "3.0.1b300",
        "3.0.2",
        "3.0.20",
        "3.0.20.dev0",
        "3.0.21",
        "3.0.22",
        "3.0.23",
        "3.0.23.dev1",
        "3.0.24",
        "3.0.25",
        "3.0.26",
        "3.0.3",
        "3.0.4",
        "3.0.5",
        "3.0.6",
        "3.0.6b1",
        "3.0.6b2",
        "3.0.6b3",
        "3.0.7",
        "3.0.8",
        "3.0.8b1",
        "3.0.9",
        "3.0.9b10",
        "3.0.9b11",
        "3.0.9b20",
        "3.0b0",
        "3.0b1",
        "3.0b10",
        "3.0b2",
        "3.0b5",
        "3.0b6",
        "3.0b8",
        "3.0b9",
        "3.1.0",
        "3.1.1",
        "3.1.2",
        "3.1.3",
        "3.1.3a0",
        "3.1.3a2",
        "3.1.3a3",
        "3.1.3a4",
        "3.1.3a5",
        "3.1.4",
        "3.1.4b0",
        "3.1.4b1",
        "3.1.4b2",
        "3.1.4b3",
        "3.1.4b4",
        "3.1.4b5",
        "3.1.5",
        "3.1.5b1",
        "3.1.5b10",
        "3.1.5b2",
        "3.1.5b3",
        "3.1.5b4",
        "3.1.5b5",
        "3.1.5b7",
        "3.1.5b8",
        "3.1.5b9",
        "3.1.6",
        "3.1.6b1",
        "3.1.7",
        "3.1.8b0",
        "3.1.8b2",
        "3.1.8b3",
        "3.1.8b4",
        "3.1.8b6",
        "3.10.0",
        "3.10.1",
        "3.11.0",
        "3.12.0",
        "3.12.0b1",
        "3.12.0b2",
        "3.12.0b3",
        "3.12.0b6",
        "3.12.0b7",
        "3.13.0",
        "3.13.0b1",
        "3.13.1",
        "3.13.1b0",
        "3.13.1b1",
        "3.13.1b2",
        "3.13.2",
        "3.14.0",
        "3.14.0a1",
        "3.15.0",
        "3.16.0",
        "3.16.1",
        "3.16.1b1",
        "3.16.2",
        "3.17.0",
        "3.17.1",
        "3.17.1b1",
        "3.17.1b2",
        "3.18.0",
        "3.18.1b1",
        "3.18.1b2",
        "3.18.1b3",
        "3.18.1b4",
        "3.18.1b5",
        "3.18.1b6",
        "3.18.1b7",
        "3.19.0",
        "3.19.1",
        "3.2",
        "3.2.1b0",
        "3.2.1b1",
        "3.2.1b2",
        "3.20.0",
        "3.20.0b1",
        "3.20.0b2",
        "3.20.1",
        "3.21.0",
        "3.22.0",
        "3.22.1",
        "3.22.1b1",
        "3.23.0",
        "3.23.1b1",
        "3.23.1b2",
        "3.23.1b3",
        "3.24.0",
        "3.24.1",
        "3.25.0",
        "3.25.1b1",
        "3.25.1b2",
        "3.26.0",
        "3.27.0",
        "3.28.0",
        "3.28.1",
        "3.28.2",
        "3.28.3",
        "3.28.4b0",
        "3.29.0",
        "3.3",
        "3.3.1",
        "3.30.0",
        "3.31.0",
        "3.32.0",
        "3.33.0",
        "3.33.1",
        "3.34.0",
        "3.35.0",
        "3.35.1",
        "3.35.2",
        "3.36.0",
        "3.36.1",
        "3.37.0",
        "3.38.0",
        "3.39.0",
        "3.3b0",
        "3.3b1",
        "3.4",
        "3.4.1",
        "3.40.0",
        "3.40.1",
        "3.41.0",
        "3.41.1",
        "3.41.2",
        "3.42.0",
        "3.43.0",
        "3.43.1",
        "3.43.2",
        "3.44.0",
        "3.44.1",
        "3.44.2",
        "3.44.3",
        "3.44.4",
        "3.45.0",
        "3.45.0b0",
        "3.45.0b10",
        "3.45.0b11",
        "3.45.0b12",
        "3.45.0b13",
        "3.45.0b9",
        "3.45.1",
        "3.45.2",
        "3.46.0",
        "3.46.1",
        "3.47.0",
        "3.47.1",
        "3.48.0",
        "3.49.0",
        "3.4b0",
        "3.4b1",
        "3.4b2",
        "3.4b3",
        "3.4b5",
        "3.5",
        "3.50.0",
        "3.50.1",
        "3.50.2",
        "3.6",
        "3.6.0b1",
        "3.6.0b10",
        "3.6.0b2",
        "3.6.0b3",
        "3.6.0b7",
        "3.7",
        "3.8",
        "3.8.1",
        "3.8.1.dev1",
        "3.8.2",
        "3.8b1",
        "3.8b2",
        "3.9",
        "3.9.1",
        "4.0.0",
        "4.0.0b15",
        "4.0.1",
        "4.0.2",
        "4.1.0",
        "4.1.1",
        "4.1.2",
        "4.10.0",
        "4.11.0",
        "4.12.0",
        "4.13.0",
        "4.14.0",
        "4.15.0",
        "4.16.0",
        "4.17.0",
        "4.18.0",
        "4.19.0",
        "4.19.1",
        "4.19.2",
        "4.2.0",
        "4.20.0",
        "4.20.1",
        "4.21.0",
        "4.22.0",
        "4.23.0",
        "4.24.0",
        "4.25.0",
        "4.26.0",
        "4.27.0",
        "4.28.0",
        "4.28.1",
        "4.28.2",
        "4.28.3",
        "4.29.0",
        "4.3.0",
        "4.31.0",
        "4.31.1",
        "4.31.2",
        "4.31.3",
        "4.31.4",
        "4.31.5",
        "4.32.0",
        "4.32.1",
        "4.32.2",
        "4.33.0",
        "4.35.0",
        "4.36.0",
        "4.36.1",
        "4.37.1",
        "4.37.2",
        "4.38.0",
        "4.38.1",
        "4.39.0",
        "4.4.0",
        "4.4.1",
        "4.40.0",
        "4.41.0",
        "4.42.0",
        "4.43.0",
        "4.44.0",
        "4.44.1",
        "4.5.0",
        "4.7.0",
        "4.7.1",
        "4.8.0",
        "4.9.0",
        "4.9.1",
        "5.0.0b1",
        "5.0.0b10",
        "5.0.0b5",
        "5.0.0b6",
        "5.0.0b7",
        "5.0.0b8",
        "5.0.0b9"
      ]
    }
  ],
  "aliases": [
    "CVE-2024-47871",
    "GHSA-279j-x4gx-hfrh"
  ],
  "details": "Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves **insecure communication** between the FRP (Fast Reverse Proxy) client and server when Gradio\u0027s `share=True` option is used. HTTPS is not enforced on the connection, allowing attackers to intercept and read files uploaded to the Gradio server, as well as modify responses or data sent between the client and server. This impacts users who are sharing Gradio demos publicly over the internet using `share=True` without proper encryption, exposing sensitive data to potential eavesdroppers. Users are advised to upgrade to `gradio\u003e=5` to address this issue. As a workaround, users can avoid using `share=True` in production environments and instead host their Gradio applications on servers with HTTPS enabled to ensure secure communication.",
  "id": "PYSEC-2024-219",
  "modified": "2025-01-19T22:22:23.897787+00:00",
  "published": "2024-10-10T23:15:03+00:00",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-279j-x4gx-hfrh"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-279J-X4GX-HFRH

Vulnerability from github – Published: 2024-10-10 22:08 – Updated: 2025-01-21 17:18

Summary

Gradio uses insecure communication between the FRP client and server

Details

Impact

What kind of vulnerability is it? Who is impacted?

This vulnerability involves insecure communication between the FRP (Fast Reverse Proxy) client and server when Gradio's share=True option is used. HTTPS is not enforced on the connection, allowing attackers to intercept and read files uploaded to the Gradio server, as well as modify responses or data sent between the client and server. This impacts users who are sharing Gradio demos publicly over the internet using share=True without proper encryption, exposing sensitive data to potential eavesdroppers.

Patches

Yes, please upgrade to gradio>=5 to address this issue.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

As a workaround, users can avoid using share=True in production environments and instead host their Gradio applications on servers with HTTPS enabled to ensure secure communication.

Severity ?

8.1 (High)


                  
                    CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

8.6 (High)


                  
                    CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "gradio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-47871"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-311"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-10T22:08:51Z",
    "nvd_published_at": "2024-10-10T23:15:03Z",
    "severity": "HIGH"
  },
  "details": "### Impact  \n**What kind of vulnerability is it? Who is impacted?**\n\nThis vulnerability involves **insecure communication** between the FRP (Fast Reverse Proxy) client and server when Gradio\u0027s `share=True` option is used. HTTPS is not enforced on the connection, allowing attackers to intercept and read files uploaded to the Gradio server, as well as modify responses or data sent between the client and server. This impacts users who are sharing Gradio demos publicly over the internet using `share=True` without proper encryption, exposing sensitive data to potential eavesdroppers.\n\n### Patches  \nYes, please upgrade to `gradio\u003e=5` to address this issue.\n\n### Workarounds  \n**Is there a way for users to fix or remediate the vulnerability without upgrading?**\n\nAs a workaround, users can avoid using `share=True` in production environments and instead host their Gradio applications on servers with HTTPS enabled to ensure secure communication.",
  "id": "GHSA-279j-x4gx-hfrh",
  "modified": "2025-01-21T17:18:25Z",
  "published": "2024-10-10T22:08:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-279j-x4gx-hfrh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47871"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gradio-app/gradio"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-219.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Gradio uses insecure communication between the FRP client and server"
}

FKIE_CVE-2024-47871

Vulnerability from fkie_nvd - Published: 2024-10-10 23:15 - Updated: 2024-10-17 17:11

Severity ?

9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/gradio-app/gradio/security/advisories/GHSA-279j-x4gx-hfrh	Third Party Advisory

Impacted products

	Vendor	Product	Version
	gradio_project	gradio	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:gradio_project:gradio:*:*:*:*:*:python:*:*",
              "matchCriteriaId": "32D191C7-095C-427B-832D-C63FE4D4A037",
              "versionEndExcluding": "5.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves **insecure communication** between the FRP (Fast Reverse Proxy) client and server when Gradio\u0027s `share=True` option is used. HTTPS is not enforced on the connection, allowing attackers to intercept and read files uploaded to the Gradio server, as well as modify responses or data sent between the client and server. This impacts users who are sharing Gradio demos publicly over the internet using `share=True` without proper encryption, exposing sensitive data to potential eavesdroppers. Users are advised to upgrade to `gradio\u003e=5` to address this issue. As a workaround, users can avoid using `share=True` in production environments and instead host their Gradio applications on servers with HTTPS enabled to ensure secure communication."
    },
    {
      "lang": "es",
      "value": "Gradio es un paquete Python de c\u00f3digo abierto dise\u00f1ado para la creaci\u00f3n r\u00e1pida de prototipos. Esta vulnerabilidad implica una **comunicaci\u00f3n insegura** entre el cliente y el servidor de FRP (Fast Reverse Proxy) cuando se utiliza la opci\u00f3n `share=True` de Gradio. No se aplica HTTPS en la conexi\u00f3n, lo que permite a los atacantes interceptar y leer archivos cargados en el servidor de Gradio, as\u00ed como modificar las respuestas o los datos enviados entre el cliente y el servidor. Esto afecta a los usuarios que comparten demostraciones de Gradio p\u00fablicamente a trav\u00e9s de Internet utilizando `share=True` sin el cifrado adecuado, lo que expone los datos confidenciales a posibles esp\u00edas. Se recomienda a los usuarios que actualicen a `gradio\u0026gt;=5` para solucionar este problema. Como workaround, los usuarios pueden evitar el uso de `share=True` en entornos de producci\u00f3n y, en su lugar, alojar sus aplicaciones Gradio en servidores con HTTPS habilitado para garantizar una comunicaci\u00f3n segura."
    }
  ],
  "id": "CVE-2024-47871",
  "lastModified": "2024-10-17T17:11:31.150",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.2,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-10-10T23:15:03.187",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-279j-x4gx-hfrh"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-311"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-311"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-47871 (GCVE-0-2024-47871)

PYSEC-2024-219

GHSA-279J-X4GX-HFRH

Impact

Patches

Workarounds

FKIE_CVE-2024-47871

Tags

Sightings

Nomenclature