pytorch-lightning
Behoben in
1.6.0
1.6.0
CVE-2022-0845 is a critical code injection vulnerability discovered in the PyTorch Lightning GitHub repository. This flaw allows an attacker to inject and execute arbitrary code, potentially leading to complete system compromise. The vulnerability affects versions of PyTorch Lightning up to and including 1.5.10.post0, with a fix available in version 1.6.0.
The code injection vulnerability in PyTorch Lightning arises from insufficient input validation within the repository. An attacker can craft malicious code and inject it into the system, leading to remote code execution (RCE). Successful exploitation could allow an attacker to gain full control over the affected system, including access to sensitive data, modification of system configurations, and installation of malware. The potential blast radius is significant, particularly in environments where PyTorch Lightning is used for training and deploying machine learning models, as attackers could compromise the entire training pipeline and potentially inject malicious models into production.
CVE-2022-0845 was publicly disclosed on March 5, 2022. While no active exploitation campaigns have been definitively linked to this CVE, the CRITICAL severity and the potential for RCE make it a high-priority vulnerability. No public proof-of-concept exploits were immediately available, but the nature of the vulnerability suggests that such exploits could be developed relatively easily. It is not currently listed on the CISA KEV catalog.
Organizations and individuals utilizing PyTorch Lightning for machine learning model training and deployment are at risk, particularly those using older versions (≤1.5.10.post0). This includes researchers, data scientists, and DevOps engineers working with PyTorch-based projects. Shared hosting environments where PyTorch Lightning is deployed could also be vulnerable if multiple users share the same environment and one user can inject malicious code.
• python / supply-chain:
import subprocess
result = subprocess.run(['pip', 'show', 'pytorch-lightning'], capture_output=True, text=True)
if 'Version' in result.stdout and result.stdout.splitlines()[2].startswith('1.5.'):
print('Vulnerable version detected!')• python / server: Review PyTorch Lightning configuration files for any unusual or unexpected code snippets. • generic web: Inspect PyTorch Lightning model deployment pipelines for potential injection points.
disclosure
Exploit-Status
EPSS
0.27% (51% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2022-0845 is to immediately upgrade PyTorch Lightning to version 1.6.0 or later. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing stricter input validation on any user-provided data used within PyTorch Lightning workflows. While a direct WAF rule is unlikely to be effective, carefully reviewing and sanitizing any external data passed to PyTorch Lightning models can reduce the attack surface. Monitor PyTorch Lightning repositories for suspicious activity and review commit history for potentially malicious code.
Aktualisieren Sie die Bibliothek pytorch-lightning auf Version 1.6.0 oder höher. Dies behebt die Code-Injection-Vulnerabilität. Sie können aktualisieren mit pip: `pip install pytorch-lightning --upgrade`.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2022-0845 is a critical code injection vulnerability affecting PyTorch Lightning versions up to 1.5.10.post0, allowing attackers to execute arbitrary code.
If you are using PyTorch Lightning versions 1.5.10.post0 or earlier, you are vulnerable to this code injection vulnerability.
Upgrade PyTorch Lightning to version 1.6.0 or later to remediate the vulnerability. Review and sanitize any external data used within PyTorch Lightning workflows.
While no confirmed active exploitation campaigns have been publicly reported, the CRITICAL severity warrants immediate attention and mitigation.
Refer to the PyTorch Lightning GitHub repository and related security advisories for the latest information: [https://github.com/pytorch/pytorch-lightning](https://github.com/pytorch/pytorch-lightning)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.