Platform
python
Component
lightning-ai/pytorch-lightning
Opgelost in
2.3.3
CVE-2024-5980 is an Arbitrary File Access vulnerability affecting pytorch-lightning versions up to 2.3.3. This vulnerability allows attackers to exploit path traversal within the /v1/runs API endpoint, enabling the deployment of malicious plugins that can write arbitrary files to the victim's file system. The vulnerability was published on 2024-06-27 and a fix is available in version 2.3.3.
The primary impact of CVE-2024-5980 is the potential for remote code execution (RCE). An attacker can leverage the path traversal vulnerability in the /v1/runs API to upload a malicious tar.gz plugin. This plugin, when processed by pytorch-lightning, can be crafted to write arbitrary files to any directory accessible by the LightningApp process. This could include overwriting critical system files, injecting malicious code, or gaining persistent access to the system. The blast radius extends to any system running a vulnerable pytorch-lightning instance with the plugin_server enabled, particularly those handling sensitive data or critical infrastructure.
This vulnerability is considered highly exploitable due to the ease of path traversal exploitation and the potential for RCE. While no public exploits have been widely reported, the vulnerability has been added to the CISA KEV catalog, indicating a heightened risk of exploitation. Public proof-of-concept code is likely to emerge, increasing the risk of widespread attacks. The vulnerability's impact is amplified by the popularity of pytorch-lightning within the machine learning community.
Organizations and individuals using pytorch-lightning for machine learning projects, particularly those deploying LightningApps with the plugin_server enabled, are at risk. This includes researchers, data scientists, and developers working with deep learning models. Shared hosting environments where multiple users share a pytorch-lightning instance are also at increased risk.
• python / pytorch-lightning: Monitor for suspicious tar.gz file uploads to the /v1/runs API endpoint.
import requests
url = "YOUR_PYTORCH_LIGHTNING_ENDPOINT/v1/runs"
files = {'plugin': open('malicious_plugin.tar.gz', 'rb')}
response = requests.post(url, files=files)
print(response.status_code)• python / pytorch-lightning: Check for unexpected file modifications in directories accessible by the LightningApp process using file integrity monitoring tools.
• generic web: Monitor access logs for requests to the /v1/runs API endpoint with unusual or potentially malicious file names.
disclosure
patch
Exploit Status
EPSS
10.73% (93% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2024-5980 is to upgrade to pytorch-lightning version 2.3.3 or later, which contains the fix. If upgrading immediately is not feasible, consider disabling the plugin_server feature to prevent the vulnerable API endpoint from being exposed. As a temporary workaround, implement strict input validation on the /v1/runs API endpoint to prevent path traversal attempts. This could involve whitelisting allowed file extensions and validating the destination directory. Monitor system logs for suspicious file creation or modification activity.
Actualice la biblioteca pytorch-lightning a la versión 2.3.3 o superior. Esto corrige la vulnerabilidad de path traversal en el endpoint /v1/runs API. La actualización evitará que atacantes escriban archivos arbitrarios en su sistema.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-5980 is a CRITICAL vulnerability in pytorch-lightning versions ≤2.3.3 allowing attackers to exploit path traversal in the /v1/runs API, potentially leading to remote code execution.
You are affected if you are using pytorch-lightning versions 2.2.4 or earlier and have the plugin_server enabled.
Upgrade to pytorch-lightning version 2.3.3 or later. If immediate upgrade is not possible, disable the plugin_server.
While no widespread exploitation has been confirmed, the vulnerability has been added to the CISA KEV catalog, indicating a potential risk.
Refer to the pytorch-lightning security advisory: [https://lightning.ai/blog/security-update-cve-2024-5980](https://lightning.ai/blog/security-update-cve-2024-5980)
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je requirements.txt-bestand en we vertellen je direct of je getroffen bent.