Platform
java
Component
ai.djl:api
Fixed in
0.1.1
0.28.0
CVE-2024-37902 is a critical Path Traversal vulnerability affecting DeepJavaLibrary (DJL) versions 0.1.0 through 0.27.0. This vulnerability allows attackers to overwrite system files by exploiting the lack of prevention for absolute path archived artifacts. Affected users should upgrade to DJL version 0.28.0 or utilize the patched Deep Learning Containers 0.27.0 to resolve this issue.
The core of this vulnerability lies in DJL's handling of archived artifacts. Specifically, the library fails to adequately validate paths when extracting these archives, permitting attackers to specify absolute paths. This allows an attacker to craft a malicious archive containing files designed to overwrite critical system files. The potential impact is severe, ranging from complete system compromise to denial of service. Successful exploitation could lead to the installation of malware, data exfiltration, or the complete takeover of the affected system. The ability to overwrite system files elevates the blast radius significantly, potentially impacting other applications and services running on the same host.
This vulnerability has gained attention due to its critical severity and potential for widespread impact. While no public exploits have been widely reported, the ease of exploitation and the potential for system-level compromise make it a high-priority concern. The vulnerability was disclosed on 2024-06-17. It is not currently listed on the CISA KEV catalog, but its severity warrants close monitoring. The lack of a public proof-of-concept does not diminish the risk, as the vulnerability is relatively straightforward to exploit.
Exploit Status
EPSS
0.29% (52% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to DJL version 0.28.0, which includes the necessary fixes to prevent absolute path traversal. If upgrading is not immediately feasible, consider utilizing the patched Deep Learning Containers 0.27.0 provided by AWS. As a temporary workaround, restrict access to the DJL API to trusted sources and implement strict file system permissions to limit the impact of a potential exploit. Monitor system logs for unusual file creation or modification activity, particularly in sensitive system directories. After upgrading, confirm the fix by attempting to extract an archive with an absolute path and verifying that the extraction fails with an appropriate error message.
Update DeepJavaLibrary to version 0.28.0 or higher. If you cannot update immediately, consider applying the patch available for version 0.27.0 in DJL Large Model Inference containers. This will prevent the path traversal vulnerability that allows for overwriting of system files.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-37902 is a critical Path Traversal vulnerability in ai.djl:api versions 0.1.0 through 0.27.0, allowing attackers to overwrite system files.
You are affected if you are using ai.djl:api versions 0.1.0 through 0.27.0. Upgrade to 0.28.0 or use patched Deep Learning Containers 0.27.0.
Upgrade to ai.djl:api version 0.28.0 or utilize the patched Deep Learning Containers 0.27.0 released by AWS.
While no widespread exploitation has been confirmed, the vulnerability's severity and ease of exploitation make it a high-priority concern.
Refer to the AWS Deep Learning Containers release notes for patched containers: https://github.com/aws/deep-learning-containers/releases
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.