Products
huggingface/text-generation-inference
- up to v2.0.0
huggingface/text-generation-inference repository
- up to and including v2.0.0
Source
security@huntr.dev
Tags
CVE-2024-3924 details
Last Modified : May 30, 2024, 6:19 p.m.
Description
A code injection vulnerability exists in the huggingface/text-generation-inference repository, specifically within the `autodocs.yml` workflow file. The vulnerability arises from the insecure handling of the `github.head_ref` user input, which is used to dynamically construct a command for installing a software package. An attacker can exploit this by forking the repository, creating a branch with a malicious payload as the name, and then opening a pull request to the base repository. Successful exploitation could lead to arbitrary code execution within the context of the GitHub Actions runner. This issue affects versions up to and including v2.0.0 and was fixed in version 2.0.0.
CVSS Score
1 | 2 | 3 | 4.4 | 5 | 6 | 7 | 8 | 9 | 10 |
---|
Weakness
Weakness | Name | Description |
---|
CVSS Data
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
Base Score
4.4
Exploitability Score
Impact Score
Base Severity
MEDIUM
Vector String : CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
References
URL | Source |
---|---|
https://github.com/huggingface/text-generation-inference/commit/88702d876383f7200eccf67e28ba00500dc804bb | security@huntr.dev |
https://huntr.com/bounties/8af92fc2-0103-4d29-bb28-c3893154c422 | security@huntr.dev |