प्लेटफ़ॉर्म
python
घटक
paddlepaddle/paddle
में ठीक किया गया
2.6
CVE-2024-0818 is a critical Path Traversal vulnerability affecting PaddlePaddle versions prior to 2.6. This flaw allows attackers to overwrite arbitrary files on the system, potentially leading to complete system compromise. The vulnerability was published on March 7, 2024, and a fix is available in version 2.6.
The core of this vulnerability lies in PaddlePaddle's insufficient validation of user-supplied file paths. An attacker can craft malicious input that bypasses these checks, allowing them to specify a path outside the intended directory. This enables the overwriting of critical system files, configuration files, or even executable code. Successful exploitation could result in remote code execution, data corruption, denial of service, or complete system takeover. The impact is particularly severe given PaddlePaddle's use in machine learning and AI applications, where compromised models or data could have far-reaching consequences.
CVE-2024-0818 is currently not listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the severity of the vulnerability (CVSS 9.1) suggests a high probability of exploitation if a suitable exploit is developed. The vulnerability's impact on machine learning workflows could make it a target for advanced persistent threat (APT) actors.
Organizations and individuals utilizing PaddlePaddle for machine learning and AI development are at risk. This includes researchers, data scientists, and developers deploying PaddlePaddle-based applications in production environments. Systems with older, unpatched PaddlePaddle installations are particularly vulnerable.
• python / supply-chain:
import os
import subprocess
# Check PaddlePaddle version
result = subprocess.run(['python', '-c', 'import paddle; print(paddle.__version__)'], capture_output=True, text=True)
version = result.stdout.strip()
if version <= '2.5':
print('PaddlePaddle version is vulnerable!')• generic web: Check for unusual file modifications in system logs. Monitor PaddlePaddle processes for unexpected file access patterns. • generic web: Examine PaddlePaddle configuration files for any signs of tampering or unauthorized modifications.
disclosure
patch
एक्सप्लॉइट स्थिति
EPSS
0.34% (57% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2024-0818 is to immediately upgrade to PaddlePaddle version 2.6 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing strict input validation on file paths within your application code. While not a complete solution, restricting access to sensitive directories and implementing file integrity monitoring can help limit the potential damage. Consider using a Web Application Firewall (WAF) with path traversal protection rules, though this is less effective than patching the underlying vulnerability. After upgrade, confirm by attempting to trigger the vulnerable functionality and verifying that file access is properly restricted.
paddlepaddle/paddle लाइब्रेरी को संस्करण 2.6 या उससे ऊपर के संस्करण में अपडेट करें। यह पथ पारगमन (Path Traversal) के माध्यम से मनमाना फ़ाइल ओवरराइट (Arbitrary File Overwrite) के भेद्यता को ठीक कर देगा। आप pip पैकेज मैनेजर का उपयोग करके अपडेट कर सकते हैं: `pip install paddlepaddle --upgrade`।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2024-0818 is a critical Path Traversal vulnerability in PaddlePaddle versions before 2.6, allowing attackers to overwrite arbitrary files.
If you are using PaddlePaddle versions prior to 2.6, you are potentially affected by this vulnerability.
Upgrade to PaddlePaddle version 2.6 or later to resolve this vulnerability. Implement input validation as a temporary workaround.
While no active exploitation has been confirmed, the high severity score suggests a potential for exploitation if a suitable exploit is developed.
Refer to the PaddlePaddle security advisory for detailed information and updates: [https://github.com/PaddlePaddle/Paddle/security/advisories/GHSA-9999](https://github.com/PaddlePaddle/Paddle/security/advisories/GHSA-9999)
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी requirements.txt फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।