Lucene search

JFROGVULNRICHMENT:CVE-2024-6507

HistoryJul 04, 2024 - 11:58 a.m.

CVE-2024-6507 Deep Lake Kaggle command injection

2024-07-0411:58:21

JFROG

github.com

command injection

kaggle

input sanitization

api

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.3

Confidence

Low

SSVC

Exploitation

poc

Automatable

Technical Impact

total

JSON

Command injection when ingesting a remote Kaggle dataset due to a lack of input sanitization in the ingest_kaggle() API

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:deeplake:deeplake:3.9.10:*:*:*:*:*:*:*"
    ],
    "vendor": "deeplake",
    "product": "deeplake",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "versionType": "custom",
        "lessThanOrEqual": "3.9.10"
      }
    ],
    "defaultStatus": "unknown"
  }
]

References

github.com/activeloopai/deeplake/pull/2876

research.jfrog.com/vulnerabilities/deeplake-kaggle-command-injection-jfsa-2024-001035320/

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.3

Confidence

Low

SSVC

Exploitation

poc

Automatable

Technical Impact

total

JSON

Related for VULNRICHMENT:CVE-2024-6507