Lucene search

K
githubGitHub Advisory DatabaseGHSA-W877-JFW7-46RJ
HistoryJun 17, 2024 - 9:20 p.m.

DeepJavaLibrary API absolute path traversal

2024-06-1721:20:44
CWE-22
GitHub Advisory Database
github.com
23
deepjavalibrary
security patch
absolute pathtraversal
vulnerability
software security

CVSS3

10

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

6.7

Confidence

High

EPSS

0

Percentile

10.5%

Summary

DeepJavaLibrary(DJL) versions 0.1.0 through 0.27.0 do not prevent absolute path archived artifacts from inserting archived files directly into the system, overwriting system files. This is fixed in DJL 0.28.0 and patched in DJL Large Model Inference containers 0.27.0.

Impacted versions: 0.1.0 through 0.27.0

Patches

Patched Deep Learning Containers:
v1.1-djl-0.27.0-inf-cpu-full
v1.4-djl-0.27.0-inf-ds-0.12.6
v1.4-djl-0.27.0-inf-trt-0.8.0
v1.3-djl-0.27.0-inf-neuronx-sdk2.18.1

Patched Library:
v0.28.0

Affected configurations

Vulners
Node
ai.djlapiRange0.1.00.28.0
VendorProductVersionCPE
ai.djlapi*cpe:2.3:a:ai.djl:api:*:*:*:*:*:*:*:*

CVSS3

10

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

6.7

Confidence

High

EPSS

0

Percentile

10.5%