pytorch_lightning-1.8.1-py3-none-any.whl: 1 vulnerabilities (highest severity is: 9.8) #105
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
Micro-Learning Topic: Vulnerable library (Detected by phrase)Matched on "Vulnerable Library"Use of vulnerable components will introduce weaknesses into the application. Components with published vulnerabilities will allow easy exploitation as resources will often be available to automate the process. Try a challenge in Secure Code Warrior |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
PyTorch Lightning is the lightweight PyTorch wrapper for ML researchers. Scale your models. Write less boilerplate.
Library home page: https://files.pythonhosted.org/packages/54/8f/ff9e74724d1c203e8f1efe4b763ef941a68672eaeae9512391a5d3125cae/pytorch_lightning-1.8.1-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - pytorch_lightning-1.8.1-py3-none-any.whl
PyTorch Lightning is the lightweight PyTorch wrapper for ML researchers. Scale your models. Write less boilerplate.
Library home page: https://files.pythonhosted.org/packages/54/8f/ff9e74724d1c203e8f1efe4b763ef941a68672eaeae9512391a5d3125cae/pytorch_lightning-1.8.1-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
A remote code execution (RCE) vulnerability exists in the lightning-ai/pytorch-lightning library version 2.2.1 due to improper handling of deserialized user input and mismanagement of dunder attributes by the
deepdifflibrary. The library usesdeepdiff.Deltaobjects to modify application state based on frontend actions. However, it is possible to bypass the intended restrictions on modifying dunder attributes, allowing an attacker to construct a serialized delta that passes the deserializer whitelist and contains dunder attributes. When processed, this can be exploited to access other modules, classes, and instances, leading to arbitrary attribute write and total RCE on any self-hosted pytorch-lightning application in its default configuration, as the delta endpoint is enabled by default.Publish Date: 2024-06-06
URL: CVE-2024-5452
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-cgwc-qvrx-rf7f
Release Date: 2024-06-06
Fix Resolution: lightning - 2.3.3
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: