10 Critical

Pypi

SQL Injection Leading to Arbitrary File Reading

A SQL injection vulnerability in the Neural Compressor's `neural_solution` server allows attackers to manipulate database entries and download arbitrary files from the host system. This issue affects version 2.4 and was patched in version 2.5.0.

Available publicly on May 15 2024

10

CVE:

CVE-2024-22476

CWE:

89:Improper Neutralization of Special Elements used in an SQL Command

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Credit:

williwollo
AssessDetect

Premium

Remediate
Remediation Steps
  • Ensure your Neural Compressor installation is updated to version 2.5.0 or later.
  • Review and sanitize all input fields to prevent SQL injection.
  • Implement strict validation and filtering on the /download/<task_id> endpoint to ensure only authorized files can be downloaded.
  • Regularly audit and monitor the system for any unauthorized access or anomalies.
Patch Details
  • Fixed Version: 2.5.0
  • Patch Commit: https://github.com/intel/neural-compressor/commit/24419c9044fe227ea806db370c1a30272d026f8a
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.

Sightline logo
About Protect AIPrivacy PolicyTerms of Service
© 2024 Protect AI, Inc.
Slack iconLinkedIn iconYoutube iconX icon