CVE-2024-47870

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-47870
Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves a **race condition** in the `update_root_in_config` function, allowing an attacker to modify the `root` URL used by the Gradio frontend to communicate with the backend. By exploiting this flaw, an attacker can redirect user traffic to a malicious server. This could lead to the interception of sensitive data such as authentication credentials or uploaded files. This impacts all users who connect to a Gradio server, especially those exposed to the internet, where malicious actors could exploit this race condition. Users are advised to upgrade to `gradio>=5` to address this issue. There are no known workarounds for this issue.

8.1 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/gradio-app/gradio/security/advisories/GHSA-xh2x-3mrm-fwqm Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:gradio_project:gradio:*:*:*:*:*:python:*:*
History

17 Oct 2024, 16:57

Type Values Removed Values Added
CPE cpe:2.3:a:gradio_project:gradio:*:*:*:*:*:python:*:*
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 8.1
First Time Gradio Project gradio
Gradio Project
References () https://github.com/gradio-app/gradio/security/advisories/GHSA-xh2x-3mrm-fwqm - () https://github.com/gradio-app/gradio/security/advisories/GHSA-xh2x-3mrm-fwqm - Third Party Advisory

15 Oct 2024, 12:58

Type Values Removed Values Added
Summary
  • (es) Gradio es un paquete Python de código abierto diseñado para la creación rápida de prototipos. Esta vulnerabilidad implica una **condición de ejecución** en la función `update_root_in_config`, que permite a un atacante modificar la URL `root` utilizada por el frontend de Gradio para comunicarse con el backend. Al explotar esta falla, un atacante puede redirigir el tráfico de usuarios a un servidor malicioso. Esto podría llevar a la interceptación de datos confidenciales, como credenciales de autenticación o archivos cargados. Esto afecta a todos los usuarios que se conectan a un servidor Gradio, especialmente a aquellos expuestos a Internet, donde los actores maliciosos podrían explotar esta condición de ejecución. Se recomienda a los usuarios que actualicen a `gradio>=5` para solucionar este problema. No existen soluciones workarounds para este problema.

10 Oct 2024, 23:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-10-10 23:15

Updated : 2024-10-17 16:57

NVD link : CVE-2024-47870

Mitre link : CVE-2024-47870

CVE.ORG link : CVE-2024-47870

JSON object : View

Products Affected

gradio_project

  • gradio
CWE
CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024