How severe is CVE-2024-47871?

This vulnerability has a severity rating of HIGH with a CVSS score of 9.1 out of 10.

What type of vulnerability is CVE-2024-47871?

This is classified as CWE-311, which is a common weakness in software security.

CVE-2024-47871 - HIGH Severity | CVSS 9.1

Vulnerability Description

Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves **insecure communication** between the FRP (Fast Reverse Proxy) client and server when Gradio's `share=True` option is used. HTTPS is not enforced on the connection, allowing attackers to intercept and read files uploaded to the Gradio server, as well as modify responses or data sent between the client and server. This impacts users who are sharing Gradio demos publicly over the internet using `share=True` without proper encryption, exposing sensitive data to potential eavesdroppers. Users are advised to upgrade to `gradio>=5` to address this issue. As a workaround, users can avoid using `share=True` in production environments and instead host their Gradio applications on servers with HTTPS enabled to ensure secure communication.

Related Vulnerabilities

CVE-2020-12032

CRITICAL

CVSS:9.1(Critical)

Baxter ExactaMix EM 2400 Versions 1.10, 1.11 and ExactaMix EM1200 Versions 1.1, 1.2 systems store device data with sensitive information in an unencrypted database. This could allow an attacker with n...

CWE-3112020

CVE-2021-27779

CRITICAL

CVSS:9.1(Critical)

VersionVault Express exposes sensitive information that an attacker can use to impersonate the server or eavesdrop on communications with the server.

CWE-3112021

CVE-2024-29151

CRITICAL

CVSS:9.1(Critical)

Rocket.Chat.Audit through 5ad78e8 depends on filecachetools, which does not exist in PyPI.

CWE-3112024

CVE-2017-3219

HIGH

CVSS:8.8(High)

Acronis True Image up to and including version 2017 Build 8053 performs software updates using HTTP. Downloaded updates are only verified using a server-provided MD5 hash.

CWE-3112017

CVE-2018-7781

HIGH

CVSS:8.8(High)

In Schneider Electric Pelco Sarix Professional 1st generation cameras with firmware versions prior to 3.29.69, by sending a specially crafted request an authenticated user can view password in clear t...

CWE-3112018

CVE-2019-1003051

HIGH

CVSS:8.8(High)

Jenkins IRC Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

CWE-3112019