Products
DeepJavaLibrary (DJL)
- 0.1.0 - 0.27.0
Source
security-advisories@github.com
Tags
CVE-2024-37902 details
Published : June 17, 2024, 8:15 p.m.
Last Modified : June 17, 2024, 8:15 p.m.
Last Modified : June 17, 2024, 8:15 p.m.
Description
DeepJavaLibrary(DJL) is an Engine-Agnostic Deep Learning Framework in Java. DJL versions 0.1.0 through 0.27.0 do not prevent absolute path archived artifacts from inserting archived files directly into the system, overwriting system files. This is fixed in DJL 0.28.0 and patched in DJL Large Model Inference containers version 0.27.0. Users are advised to upgrade.
CVSS Score
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10.0 |
---|
Weakness
Weakness | Name | Description |
---|
CVSS Data
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
10.0
Exploitability Score
3.9
Impact Score
6.0
Base Severity
CRITICAL
Vector String : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
References
URL | Source |
---|---|
https://github.com/deepjavalibrary/djl/releases/tag/v0.28.0 | security-advisories@github.com |
https://github.com/deepjavalibrary/djl/security/advisories/GHSA-w877-jfw7-46rj | security-advisories@github.com |
This website uses the NVD API, but is not approved or certified by it.