7 matches found
Arbitrary Code Injection
Overview bentoml is a BentoML: Build Production-Grade AI Applications Affected versions of this package are vulnerable to Arbitrary Code Injection via the envs.name field in the configuration file during Dockerfile generation. An attacker can execute arbitrary commands on the build host by crafti...
BentoML < 1.4.38 Multiple Vulnerabilities (GHSA-fgv4-6jr3-jgfw, GHSA-v959-cwq9-7hr6)
The version of the BentoML library installed on the remote host is prior to 1.4.38. It is, therefore, affected by multiple vulnerabilities: - The cloud deployment path in deployment.py was not included in the fix for CVE-2026-33744. The systempackages field is interpolated directly into a shell...
CVE-2026-35044
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the Dockerfile generation function generatecontainerfile in src/bentoml/internal/container/generate.py uses an unsandboxed jinja2.Environment with the jinja2.ext.do extensio...
CVE-2026-35044 BentoML has a Server-Side Template Injection via unsandboxed Jinja2 Environment in Dockerfile generation
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the Dockerfile generation function generatecontainerfile in src/bentoml/internal/container/generate.py uses an unsandboxed jinja2.Environment with the jinja2.ext.do extensio...
CVE-2026-35044 BentoML has a Server-Side Template Injection via unsandboxed Jinja2 Environment in Dockerfile generation
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the Dockerfile generation function generatecontainerfile in src/bentoml/internal/container/generate.py uses an unsandboxed jinja2.Environment with the jinja2.ext.do extensio...
CVE-2026-35044
Summary (CVE-2026-35044) BentoML prior to 1.4.38 is vulnerable to server-side template injection via an unsandboxed Jinja2 environment used to render Dockerfile templates during containerization. attacker-controlled templates can execute arbitrary Python on the host during template rendering (not...
SUSE-SU-2025:03271-2 Security update for busybox, busybox-links
This update for busybox, busybox-links fixes the following issues: Updated to version 1.37.0 jscPED-13039: - CVE-2023-42363: Fixed use-after-free vulnerability in xasprintf function in xfuncsprintf.c bsc1217580 - CVE-2023-42364: Fixed use-after-free in the awk.c evaluate function bsc1217584 -...