Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
githubGitHub Advisory DatabaseGHSA-MR7H-W2QC-FFC2
HistoryJun 27, 2024 - 9:32 p.m.

pytorch-lightning vulnerable to Arbitrary File Write via /v1/runs API endpoint

2024-06-2721:32:08
CWE-434
GitHub Advisory Database
github.com
23
pytorch-lightning
vulnerability
/v1/runs
api
endpoint
path traversal
tar.gz
files
lightningapp
plugin_server
malicious
directory
remote code execution

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

AI Score

7.7

Confidence

High

JSON

A vulnerability in the /v1/runs API endpoint of lightning-ai/pytorch-lightning v2.2.4 allows attackers to exploit path traversal when extracting tar.gz files. When the LightningApp is running with the plugin_server, attackers can deploy malicious tar.gz plugins that embed arbitrary files with path traversal vulnerabilities. This can result in arbitrary files being written to any directory in the victim’s local file system, potentially leading to remote code execution.

Affected configurations

Vulners
Node
lightning-vizlightningRange2.3.1node.js
VendorProductVersionCPE
lightning-vizlightning*cpe:2.3:a:lightning-viz:lightning:*:*:*:*:*:node.js:*:*

Related

cvelist 1
osv 1
cve 1
vulnrichment 1
nvd 1
cvelist
cvelist
CVE-2024-5980 Arbitrary File Write via /v1/runs API endpoint in lightning-ai/pytorch-lightning
2024-06-27 18:46:39
osv
osv
pytorch-lightning vulnerable to Arbitrary File Write via /v1/runs API endpoint
2024-06-27 21:32:08
cve
cve
CVE-2024-5980
2024-06-27 19:15:18
vulnrichment
vulnrichment
CVE-2024-5980 Arbitrary File Write via /v1/runs API endpoint in lightning-ai/pytorch-lightning
2024-06-27 18:46:39
nvd
nvd
CVE-2024-5980
2024-06-27 19:15:18

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

AI Score

7.7

Confidence

High

JSON
Related for GHSA-MR7H-W2QC-FFC2
cvelist1osv1cve1vulnrichment1nvd1