Back

CVE-2024-5452

June 6, 2024, 6:15 p.m.

Received
CVE has been recently published to the CVE List and has been received by the NVD.

Products

pytorch-lightning

  • 2.2.1

Source

security@huntr.dev

Tags

security@huntr.dev
2024-06-06
CVE-2024-5452
CWE-915

CVE-2024-5452 details

Published : June 6, 2024, 6:15 p.m.
Last Modified : June 6, 2024, 6:15 p.m.

Description

A remote code execution (RCE) vulnerability exists in the lightning-ai/pytorch-lightning library version 2.2.1 due to improper handling of deserialized user input and mismanagement of dunder attributes by the `deepdiff` library. The library uses `deepdiff.Delta` objects to modify application state based on frontend actions. However, it is possible to bypass the intended restrictions on modifying dunder attributes, allowing an attacker to construct a serialized delta that passes the deserializer whitelist and contains dunder attributes. When processed, this can be exploited to access other modules, classes, and instances, leading to arbitrary attribute write and total RCE on any self-hosted pytorch-lightning application in its default configuration, as the delta endpoint is enabled by default.

CVSS Score

1 2 3 4 5 6 7 8 9.8 10

Weakness

Weakness Name Description

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

9.8

Exploitability Score

Impact Score

Base Severity

CRITICAL

Vector String : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

URL Source
https://huntr.com/bounties/486add92-275e-4a7b-92f9-42d84bc759da security@huntr.dev
This website uses the NVD API, but is not approved or certified by it.