Https://gitlab.com/gitlab-org/security-products/gemnasium-dbGITLAB-C84945314C34DE5417C70D2EBFE30D3BDeepJavaLibrary API absolute path traversal
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
6.6 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
10.6%
DeepJavaLibrary(DJL) versions 0.1.0 through 0.27.0 do not prevent absolute path archived artifacts from inserting archived files directly into the system, overwriting system files. This is fixed in DJL 0.28.0 and patched in DJL Large Model Inference containers 0.27.0.
Impacted versions: 0.1.0 through 0.27.0
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| maven/ai.djl/api | ge | 0.1.0 | |
| maven/ai.djl/api | lt | 0.28.0 |
References
github.com/advisories/GHSA-w877-jfw7-46rj
github.com/aws/deep-learning-containers/releases/tag/v1.1-djl-0.27.0-inf-cpu-full
github.com/aws/deep-learning-containers/releases/tag/v1.3-djl-0.27.0-inf-neuronx-sdk2.18.1
github.com/aws/deep-learning-containers/releases/tag/v1.4-djl-0.27.0-inf-ds-0.12.6
github.com/aws/deep-learning-containers/releases/tag/v1.4-djl-0.27.0-inf-trt-0.8.0
github.com/deepjavalibrary/djl
github.com/deepjavalibrary/djl/releases/tag/v0.28.0
github.com/deepjavalibrary/djl/security/advisories/GHSA-w877-jfw7-46rj
nvd.nist.gov/vuln/detail/CVE-2024-37902
Related
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
6.6 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
10.6%