What is CVE-2024-5980 — Arbitrary File Access in pytorch-lightning?

CVE-2024-5980 is a CRITICAL vulnerability in pytorch-lightning versions ≤2.3.3 allowing attackers to exploit path traversal in the /v1/runs API, potentially leading to remote code execution.

Am I affected by CVE-2024-5980 in pytorch-lightning?

You are affected if you are using pytorch-lightning versions 2.2.4 or earlier and have the plugin_server enabled.

How do I fix CVE-2024-5980 in pytorch-lightning?

Upgrade to pytorch-lightning version 2.3.3 or later. If immediate upgrade is not possible, disable the plugin_server.

Is CVE-2024-5980 being actively exploited?

While no widespread exploitation has been confirmed, the vulnerability has been added to the CISA KEV catalog, indicating a potential risk.

Where can I find the official pytorch-lightning advisory for CVE-2024-5980?

Refer to the pytorch-lightning security advisory: [https://lightning.ai/blog/security-update-cve-2024-5980](https://lightning.ai/blog/security-update-cve-2024-5980)

CVE-2024-5980 — Vulnerability Details

NEXTGUARD

Escanear grátis

CVE-2024-5980 — Vulnerability Details | NextGuard

Passos de Detecçãotraduzindo…

• python / pytorch-lightning: Monitor for suspicious tar.gz file uploads to the /v1/runs API endpoint.

import requests

url = "YOUR_PYTORCH_LIGHTNING_ENDPOINT/v1/runs"
files = {'plugin': open('malicious_plugin.tar.gz', 'rb')}
response = requests.post(url, files=files)
print(response.status_code)

• python / pytorch-lightning: Check for unexpected file modifications in directories accessible by the LightningApp process using file integrity monitoring tools. • generic web: Monitor access logs for requests to the /v1/runs API endpoint with unusual or potentially malicious file names.

Arbitrary File Write via /v1/runs API endpoint in lightning-ai/pytorch-lightning

Impacto e Cenários de Ataquetraduzindo…

Contexto de Exploraçãotraduzindo…

Quem Está em Riscotraduzindo…

Passos de Detecçãotraduzindo…

Linha do Tempo do Ataque

Inteligência de Ameaças

Software Afetado

Classificação de Fraqueza (CWE)

Linha do tempo

Mitigação e Soluções Alternativastraduzindo…

Como corrigirtraduzindo…

Boletim de Segurança CVE

Perguntas frequentestraduzindo…

What is CVE-2024-5980 — Arbitrary File Access in pytorch-lightning?

Am I affected by CVE-2024-5980 in pytorch-lightning?

How do I fix CVE-2024-5980 in pytorch-lightning?

Is CVE-2024-5980 being actively exploited?

Where can I find the official pytorch-lightning advisory for CVE-2024-5980?

Seu projeto está afetado?

Detecte esta CVE no seu projeto