GHSA-3x5x-fw77-g54c

Опубликовано: 05 мар. 2025

Источник: github

Github: Прошло ревью

CVSS4: 8.9

Описание

dmlc/dgl Vulnerable to Remote Code Execution by Pickle Deserialization via rpc.recv_request()

Impact

Dgl implements rpc server (start_server() in rpc_server.py) for supporting the RPC communications among different remote users over networks. It relies on pickle serialize and deserialize to pack and unpack network messages. The is a known risk in pickle deserialization functionality that can be used for remote code execution.

Patches

TBD.

Workarounds

When running DGL distributed training and inference (DistDGL) make sure you do not assign public IPs to any instance in the cluster.

References

Issue #7874

Reported by

Pinji Chen (cpj24@mails.tsinghua.edu.cn) from NISL lab (https://netsec.ccert.edu.cn/about) at Tsinghua University

Ссылки

Пакеты

Наименование

dgl

pip

Затронутые версииВерсия исправления

<= 2.4.0

Отсутствует

8.9 High

CVSS4

Дефекты

CWE-502

8.9 High

CVSS4

Дефекты

CWE-502