SQL Injection Leading to Arbitrary File Reading
A SQL injection vulnerability in the Neural Compressor's `neural_solution` server allows attackers to manipulate database entries and download arbitrary files from the host system. This issue affects version 2.4 and was patched in version 2.5.0.
Available publicly on May 15 2024
Remediation Steps
- Ensure your Neural Compressor installation is updated to version 2.5.0 or later.
- Review and sanitize all input fields to prevent SQL injection.
- Implement strict validation and filtering on the
/download/<task_id>
endpoint to ensure only authorized files can be downloaded. - Regularly audit and monitor the system for any unauthorized access or anomalies.
Patch Details
- Fixed Version: 2.5.0
- Patch Commit: https://github.com/intel/neural-compressor/commit/24419c9044fe227ea806db370c1a30272d026f8a
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.