Corrigido em
1.6.0
1.6.0
CVE-2022-0845 is a critical code injection vulnerability discovered in the PyTorch Lightning GitHub repository. This flaw allows an attacker to inject and execute arbitrary code, potentially leading to complete system compromise. The vulnerability affects versions of PyTorch Lightning up to and including 1.5.10.post0, with a fix available in version 1.6.0.
The code injection vulnerability in PyTorch Lightning arises from insufficient input validation within the repository. An attacker can craft malicious code and inject it into the system, leading to remote code execution (RCE). Successful exploitation could allow an attacker to gain full control over the affected system, including access to sensitive data, modification of system configurations, and installation of malware. The potential blast radius is significant, particularly in environments where PyTorch Lightning is used for training and deploying machine learning models, as attackers could compromise the entire training pipeline and potentially inject malicious models into production.
CVE-2022-0845 was publicly disclosed on March 5, 2022. While no active exploitation campaigns have been definitively linked to this CVE, the CRITICAL severity and the potential for RCE make it a high-priority vulnerability. No public proof-of-concept exploits were immediately available, but the nature of the vulnerability suggests that such exploits could be developed relatively easily. It is not currently listed on the CISA KEV catalog.
Organizations and individuals utilizing PyTorch Lightning for machine learning model training and deployment are at risk, particularly those using older versions (≤1.5.10.post0). This includes researchers, data scientists, and DevOps engineers working with PyTorch-based projects. Shared hosting environments where PyTorch Lightning is deployed could also be vulnerable if multiple users share the same environment and one user can inject malicious code.
• python / supply-chain:
import subprocess
result = subprocess.run(['pip', 'show', 'pytorch-lightning'], capture_output=True, text=True)
if 'Version' in result.stdout and result.stdout.splitlines()[2].startswith('1.5.'):
print('Vulnerable version detected!')• python / server: Review PyTorch Lightning configuration files for any unusual or unexpected code snippets. • generic web: Inspect PyTorch Lightning model deployment pipelines for potential injection points.
disclosure
Status do Exploit
EPSS
0.27% (percentil 51%)
Vetor CVSS
The primary mitigation for CVE-2022-0845 is to immediately upgrade PyTorch Lightning to version 1.6.0 or later. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing stricter input validation on any user-provided data used within PyTorch Lightning workflows. While a direct WAF rule is unlikely to be effective, carefully reviewing and sanitizing any external data passed to PyTorch Lightning models can reduce the attack surface. Monitor PyTorch Lightning repositories for suspicious activity and review commit history for potentially malicious code.
Atualize a biblioteca pytorch-lightning para a versão 1.6.0 ou superior. Isso resolverá a vulnerabilidade de injeção de código. Você pode atualizar usando pip: `pip install pytorch-lightning --upgrade`.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2022-0845 is a critical code injection vulnerability affecting PyTorch Lightning versions up to 1.5.10.post0, allowing attackers to execute arbitrary code.
If you are using PyTorch Lightning versions 1.5.10.post0 or earlier, you are vulnerable to this code injection vulnerability.
Upgrade PyTorch Lightning to version 1.6.0 or later to remediate the vulnerability. Review and sanitize any external data used within PyTorch Lightning workflows.
While no confirmed active exploitation campaigns have been publicly reported, the CRITICAL severity warrants immediate attention and mitigation.
Refer to the PyTorch Lightning GitHub repository and related security advisories for the latest information: [https://github.com/pytorch/pytorch-lightning](https://github.com/pytorch/pytorch-lightning)
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo requirements.txt e descubra na hora se você está afetado.