torchgeo
Opgelost in
0.6.1
0.6.1
0.6.1
CVE-2024-49048 describes a Remote Code Execution (RCE) vulnerability within the torchgeo library, specifically affecting versions up to 0.6.0. This flaw allows an attacker to potentially execute arbitrary code on a system by crafting malicious datasets. A fix has been released in version 0.6.1, and users are strongly advised to upgrade to mitigate this risk.
The RCE vulnerability in torchgeo arises from insufficient validation of data within datasets. An attacker could craft a specially designed dataset that, when processed by torchgeo, triggers the execution of arbitrary code. This could lead to complete system compromise, including data theft, malware installation, and denial of service. The impact is particularly severe because torchgeo is often used in machine learning pipelines, potentially exposing sensitive data and infrastructure to malicious actors. The ability to execute code within the context of the torchgeo process grants a high degree of control over the affected system.
CVE-2024-49048 was published on 2024-11-12. Currently, there are no publicly available exploits. The EPSS score is pending evaluation. It is not listed on the CISA KEV catalog at the time of this writing. The vulnerability's reliance on crafted datasets suggests a potential for targeted attacks within machine learning workflows.
Organizations and individuals utilizing torchgeo in their machine learning pipelines, particularly those processing data from untrusted sources, are at risk. This includes researchers, data scientists, and developers working with geospatial data analysis using Python.
• python / supply-chain:
import torchgeo
try:
import torchgeo.datasets as datasets
# Check torchgeo version
version = datasets.__version__
if version <= '0.6.0':
print(f"torchgeo version {version} is vulnerable to CVE-2024-49048")
except ImportError:
print("torchgeo is not installed.")• python / server: Check installed packages using pip list and identify vulnerable versions of torchgeo.
• generic web: Monitor network traffic for unusual connections originating from Python processes running torchgeo.
disclosure
Exploit Status
EPSS
0.50% (66% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2024-49048 is to upgrade to torchgeo version 0.6.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter input validation on datasets processed by torchgeo. While a direct WAF rule is unlikely to be effective, implementing network segmentation to limit the potential blast radius of a successful exploit is recommended. Monitor system logs for unusual process execution or network activity originating from torchgeo processes.
Actualice la biblioteca TorchGeo a la versión 0.6.1 o superior. Esto solucionará la vulnerabilidad de ejecución remota de código. Puede actualizar usando `pip install torchgeo --upgrade`.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-49048 is a Remote Code Execution vulnerability affecting torchgeo versions up to 0.6.0. It allows an attacker to execute arbitrary code via crafted datasets, potentially leading to system compromise.
You are affected if you are using torchgeo version 0.6.0 or earlier. Check your installed version using pip list.
Upgrade to torchgeo version 0.6.1 or later. If immediate upgrade is not possible, implement stricter input validation on datasets.
As of the current date, there are no confirmed reports of active exploitation, but the vulnerability's severity warrants immediate attention.
Refer to the torchgeo project's GitHub repository and release notes for the official advisory and details on the fix: [https://github.com/NVlabs/torchgeo](https://github.com/NVlabs/torchgeo)
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je requirements.txt-bestand en we vertellen je direct of je getroffen bent.