Опубликовано: 06 мар. 2022
Источник: github
Github: Прошло ревью
CVSS4: 9.3
CVSS3: 9.8
Описание
Code Injection in PyTorch Lightning
PyTorch Lightning version 1.5.10 and prior is vulnerable to code injection. An attacker could execute commands on the target OS running the operating system by setting the PL_TRAINER_GPUS when using the Trainer module. A patch is included in the 1.6.0 release.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2022-0845
- https://github.com/PyTorchLightning/pytorch-lightning/pull/12212
- https://github.com/pytorchlightning/pytorch-lightning/commit/8b7a12c52e52a06408e9231647839ddb4665e8ae
- https://github.com/advisories/GHSA-r5qj-cvf9-p85h
- https://github.com/pypa/advisory-database/tree/main/vulns/pytorch-lightning/PYSEC-2022-181.yaml
- https://github.com/pytorchlightning/pytorch-lightning
- https://huntr.dev/bounties/a795bf93-c91e-4c79-aae8-f7d8bda92e2a
Пакеты
Наименование
pytorch-lightning
pip
Затронутые версииВерсия исправления
< 1.6.0
1.6.0
Связанные уязвимости
CVSS3: 9.8
nvd
почти 4 года назад
Code Injection in GitHub repository pytorchlightning/pytorch-lightning prior to 1.6.0.