GitHub Advisory DatabaseGHSA-W877-JFW7-46RJDeepJavaLibrary API absolute path traversal
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
6.7 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
10.6%
Summary
DeepJavaLibrary(DJL) versions 0.1.0 through 0.27.0 do not prevent absolute path archived artifacts from inserting archived files directly into the system, overwriting system files. This is fixed in DJL 0.28.0 and patched in DJL Large Model Inference containers 0.27.0.
Impacted versions: 0.1.0 through 0.27.0
Patches
Patched Deep Learning Containers:
v1.1-djl-0.27.0-inf-cpu-full
v1.4-djl-0.27.0-inf-ds-0.12.6
v1.4-djl-0.27.0-inf-trt-0.8.0
v1.3-djl-0.27.0-inf-neuronx-sdk2.18.1
Patched Library:
v0.28.0
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| ai.djl:api | lt | 0.28.0 |
References
github.com/advisories/GHSA-w877-jfw7-46rj
github.com/aws/deep-learning-containers/releases/tag/v1.1-djl-0.27.0-inf-cpu-full
github.com/aws/deep-learning-containers/releases/tag/v1.3-djl-0.27.0-inf-neuronx-sdk2.18.1
github.com/aws/deep-learning-containers/releases/tag/v1.4-djl-0.27.0-inf-ds-0.12.6
github.com/aws/deep-learning-containers/releases/tag/v1.4-djl-0.27.0-inf-trt-0.8.0
github.com/deepjavalibrary/djl/releases/tag/v0.28.0
github.com/deepjavalibrary/djl/security/advisories/GHSA-w877-jfw7-46rj
nvd.nist.gov/vuln/detail/CVE-2024-37902
Related
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
6.7 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
10.6%