Denial of Service and Arbitrary File Write via XGBoostLibExtractTool
A vulnerability in version 3.46.0.1 of the software allows attackers to cause a denial of service and write large files to arbitrary directories using the XGBoostLibExtractTool. The issue was patched in a subsequent release.
Available publicly on Dec 20 2024
Threat Overview
The vulnerability arises from the exposure of the XGBoostLibExtractTool class through the ast parser in the run_tool command. This allows an attacker to execute commands that can shut down the server or write large files to arbitrary directories, potentially leading to denial of service.
Attack Scenario
An attacker can exploit this vulnerability by sending a specially crafted request to the server running the vulnerable version of the software. By using the run_tool command with the XGBoostLibExtractTool class, the attacker can either shut down the server or write large files to arbitrary directories, causing a denial of service.
Who is affected
Users running version 3.46.0.1 of the software are affected by this vulnerability.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.