Platform
python
Component
paddlepaddle
Fixed in
2.6.0
CVE-2024-0521 describes a critical command injection vulnerability discovered in PaddlePaddle, a deep learning framework. This flaw allows attackers to execute arbitrary commands on a system if they can control the URL parameter used in certain operations. The vulnerability affects versions of PaddlePaddle up to 2.5.2, and a fix is available in version 2.6.0.
The impact of this vulnerability is severe. An attacker who can inject commands via the URL parameter can gain complete control over the affected system. This could involve stealing sensitive data, installing malware, or using the system as a launchpad for further attacks. The ability to execute arbitrary commands significantly expands the attack surface and increases the potential for widespread damage. The lack of proper input validation makes this a particularly dangerous vulnerability, as it can be exploited with minimal effort.
CVE-2024-0521 was publicly disclosed on January 20, 2024. The vulnerability's severity is high due to the ease of exploitation and potential for significant impact. No public proof-of-concept exploits have been widely reported at the time of writing, but the nature of command injection vulnerabilities makes it likely that exploits will emerge. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.10% (27% percentile)
CVSS Vector
The primary mitigation for CVE-2024-0521 is to upgrade to PaddlePaddle version 2.6.0 or later, which contains the necessary fix. If upgrading immediately is not possible, consider implementing input validation and sanitization on the URL parameter before it is used in command construction. While not a complete solution, this can reduce the risk. Additionally, restrict network access to the PaddlePaddle deployment to only trusted sources. Monitor system logs for suspicious command execution patterns.
Update paddlepaddle/paddle to the latest available version. This will fix the code injection vulnerability. See the release notes for more details about the fix.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-0521 is a critical command injection vulnerability affecting PaddlePaddle versions up to 2.5.2. It allows attackers to execute arbitrary commands by manipulating a URL parameter, potentially leading to remote code execution.
You are affected if you are using PaddlePaddle version 2.5.2 or earlier. Check your PaddlePaddle version and upgrade if necessary.
Upgrade to PaddlePaddle version 2.6.0 or later to resolve this vulnerability. If immediate upgrade is not possible, implement input validation on the URL parameter.
While no widespread exploitation has been confirmed, the nature of command injection vulnerabilities suggests that exploitation is likely. Monitor your systems for suspicious activity.
Refer to the PaddlePaddle security advisory for detailed information and updates: [https://github.com/PaddlePaddle/Paddle/security/advisories/GHSA-9999](https://github.com/PaddlePaddle/Paddle/security/advisories/GHSA-9999)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.