paddlepaddle
Behoben in
2.6.0
CVE-2024-0521 describes a critical command injection vulnerability discovered in PaddlePaddle, a deep learning framework. This flaw allows attackers to execute arbitrary commands on a system if they can control the URL parameter used in certain operations. The vulnerability affects versions of PaddlePaddle up to 2.5.2, and a fix is available in version 2.6.0.
The impact of this vulnerability is severe. An attacker who can inject commands via the URL parameter can gain complete control over the affected system. This could involve stealing sensitive data, installing malware, or using the system as a launchpad for further attacks. The ability to execute arbitrary commands significantly expands the attack surface and increases the potential for widespread damage. The lack of proper input validation makes this a particularly dangerous vulnerability, as it can be exploited with minimal effort.
CVE-2024-0521 was publicly disclosed on January 20, 2024. The vulnerability's severity is high due to the ease of exploitation and potential for significant impact. No public proof-of-concept exploits have been widely reported at the time of writing, but the nature of command injection vulnerabilities makes it likely that exploits will emerge. The vulnerability is not currently listed on the CISA KEV catalog.
Organizations and individuals using PaddlePaddle for deep learning applications, particularly those deploying it in production environments or integrating it with untrusted data sources, are at risk. Those using older, unpatched versions of PaddlePaddle are especially vulnerable. Shared hosting environments where multiple users share the same server are also at increased risk.
• python / supply-chain:
import subprocess
import os
# Check for PaddlePaddle version
result = subprocess.run(['python', '-c', 'import paddle; print(paddle.__version__)'], capture_output=True, text=True)
version = result.stdout.strip()
if version <= '2.5.2':
print('PaddlePaddle version is vulnerable!')• generic web: Check for unusual command execution patterns in system logs. Look for processes spawned with unexpected arguments containing URL-like strings. • python / server: Monitor Python processes for suspicious network connections or file access patterns.
disclosure
Exploit-Status
EPSS
0.10% (27% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2024-0521 is to upgrade to PaddlePaddle version 2.6.0 or later, which contains the necessary fix. If upgrading immediately is not possible, consider implementing input validation and sanitization on the URL parameter before it is used in command construction. While not a complete solution, this can reduce the risk. Additionally, restrict network access to the PaddlePaddle deployment to only trusted sources. Monitor system logs for suspicious command execution patterns.
Actualice paddlepaddle/paddle a la última versión disponible. Esto solucionará la vulnerabilidad de inyección de código. Consulte las notas de la versión para obtener más detalles sobre la corrección.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-0521 is a critical command injection vulnerability affecting PaddlePaddle versions up to 2.5.2. It allows attackers to execute arbitrary commands by manipulating a URL parameter, potentially leading to remote code execution.
You are affected if you are using PaddlePaddle version 2.5.2 or earlier. Check your PaddlePaddle version and upgrade if necessary.
Upgrade to PaddlePaddle version 2.6.0 or later to resolve this vulnerability. If immediate upgrade is not possible, implement input validation on the URL parameter.
While no widespread exploitation has been confirmed, the nature of command injection vulnerabilities suggests that exploitation is likely. Monitor your systems for suspicious activity.
Refer to the PaddlePaddle security advisory for detailed information and updates: [https://github.com/PaddlePaddle/Paddle/security/advisories/GHSA-9999](https://github.com/PaddlePaddle/Paddle/security/advisories/GHSA-9999)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.