CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
10.5%
DeepJavaLibrary(DJL) versions 0.1.0 through 0.27.0 do not prevent absolute path archived artifacts from inserting archived files directly into the system, overwriting system files. This is fixed in DJL 0.28.0 and patched in DJL Large Model Inference containers 0.27.0.
Impacted versions: 0.1.0 through 0.27.0
Patched Deep Learning Containers:
v1.1-djl-0.27.0-inf-cpu-full
v1.4-djl-0.27.0-inf-ds-0.12.6
v1.4-djl-0.27.0-inf-trt-0.8.0
v1.3-djl-0.27.0-inf-neuronx-sdk2.18.1
Patched Library:
v0.28.0
github.com/advisories/GHSA-w877-jfw7-46rj
github.com/aws/deep-learning-containers/releases/tag/v1.1-djl-0.27.0-inf-cpu-full
github.com/aws/deep-learning-containers/releases/tag/v1.3-djl-0.27.0-inf-neuronx-sdk2.18.1
github.com/aws/deep-learning-containers/releases/tag/v1.4-djl-0.27.0-inf-ds-0.12.6
github.com/aws/deep-learning-containers/releases/tag/v1.4-djl-0.27.0-inf-trt-0.8.0
github.com/deepjavalibrary/djl/releases/tag/v0.28.0
github.com/deepjavalibrary/djl/security/advisories/GHSA-w877-jfw7-46rj
nvd.nist.gov/vuln/detail/CVE-2024-37902