平台
python
组件
lightning-ai/pytorch-lightning
修复版本
2.3.3
CVE-2024-5980 is an Arbitrary File Access vulnerability affecting pytorch-lightning versions up to 2.3.3. This vulnerability allows attackers to exploit path traversal within the /v1/runs API endpoint, enabling the deployment of malicious plugins that can write arbitrary files to the victim's file system. The vulnerability was published on 2024-06-27 and a fix is available in version 2.3.3.
The primary impact of CVE-2024-5980 is the potential for remote code execution (RCE). An attacker can leverage the path traversal vulnerability in the /v1/runs API to upload a malicious tar.gz plugin. This plugin, when processed by pytorch-lightning, can be crafted to write arbitrary files to any directory accessible by the LightningApp process. This could include overwriting critical system files, injecting malicious code, or gaining persistent access to the system. The blast radius extends to any system running a vulnerable pytorch-lightning instance with the plugin_server enabled, particularly those handling sensitive data or critical infrastructure.
This vulnerability is considered highly exploitable due to the ease of path traversal exploitation and the potential for RCE. While no public exploits have been widely reported, the vulnerability has been added to the CISA KEV catalog, indicating a heightened risk of exploitation. Public proof-of-concept code is likely to emerge, increasing the risk of widespread attacks. The vulnerability's impact is amplified by the popularity of pytorch-lightning within the machine learning community.
Organizations and individuals using pytorch-lightning for machine learning projects, particularly those deploying LightningApps with the plugin_server enabled, are at risk. This includes researchers, data scientists, and developers working with deep learning models. Shared hosting environments where multiple users share a pytorch-lightning instance are also at increased risk.
• python / pytorch-lightning: Monitor for suspicious tar.gz file uploads to the /v1/runs API endpoint.
import requests
url = "YOUR_PYTORCH_LIGHTNING_ENDPOINT/v1/runs"
files = {'plugin': open('malicious_plugin.tar.gz', 'rb')}
response = requests.post(url, files=files)
print(response.status_code)• python / pytorch-lightning: Check for unexpected file modifications in directories accessible by the LightningApp process using file integrity monitoring tools.
• generic web: Monitor access logs for requests to the /v1/runs API endpoint with unusual or potentially malicious file names.
disclosure
patch
漏洞利用状态
EPSS
10.73% (93% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2024-5980 is to upgrade to pytorch-lightning version 2.3.3 or later, which contains the fix. If upgrading immediately is not feasible, consider disabling the plugin_server feature to prevent the vulnerable API endpoint from being exposed. As a temporary workaround, implement strict input validation on the /v1/runs API endpoint to prevent path traversal attempts. This could involve whitelisting allowed file extensions and validating the destination directory. Monitor system logs for suspicious file creation or modification activity.
将 pytorch-lightning 库升级到 2.3.3 或更高版本。这修复了 /v1/runs API 端点的路径遍历漏洞。升级将防止攻击者在您的系统上写入任意文件。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-5980 is a CRITICAL vulnerability in pytorch-lightning versions ≤2.3.3 allowing attackers to exploit path traversal in the /v1/runs API, potentially leading to remote code execution.
You are affected if you are using pytorch-lightning versions 2.2.4 or earlier and have the plugin_server enabled.
Upgrade to pytorch-lightning version 2.3.3 or later. If immediate upgrade is not possible, disable the plugin_server.
While no widespread exploitation has been confirmed, the vulnerability has been added to the CISA KEV catalog, indicating a potential risk.
Refer to the pytorch-lightning security advisory: [https://lightning.ai/blog/security-update-cve-2024-5980](https://lightning.ai/blog/security-update-cve-2024-5980)
上传你的 requirements.txt 文件,立即知道是否受影响。